Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574233
MD5:	e065205fc134566fda736ccc9be37e12
SHA1:	ee67f894363f08641cc5776c221f506f655f3974
SHA256:	d9fa5d9c0c146db63a04997489362a3991095598941556880dbc5a2d22cc6c35
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6796 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E065205FC134566FDA736CCC9BE37E12)

taskkill.exe (PID: 5672 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2728 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7096 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2100 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4176 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3404 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4552 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5784 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2788 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2200 -prefMapHandle 2192 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b81855ed-d965-4fdf-8e94-63f103592f59} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162a4c70b10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7396 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -parentBuildID 20230927232528 -prefsHandle 2148 -prefMapHandle 3980 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c19d47-4226-4162-bf4f-a9cc946d4c3b} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162b64d0010 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8036 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 2928 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db75d719-a1f1-4453-b1fb-183b70aadf76} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162c0d38d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6796	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0011EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0011EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0011ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0011ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0011EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0010AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0010AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00139576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00139576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b1a7ab03-2
Source: file.exe, 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_941a6295-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_23343786-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fdcaff2d-4

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000018A6233A872 NtQuerySystemInformation,		18_2_0000018A6233A872
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000018A62333B37 NtQuerySystemInformation,		18_2_0000018A62333B37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0010D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0010D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00101201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00101201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0010E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0010E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00112046	0_2_00112046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A8060	0_2_000A8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00108298	0_2_00108298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000DE4FF	0_2_000DE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D676B	0_2_000D676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00134873	0_2_00134873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000CCAA0	0_2_000CCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000ACAF0	0_2_000ACAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000BCC39	0_2_000BCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D6DD9	0_2_000D6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000BB119	0_2_000BB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A91C0	0_2_000A91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C1394	0_2_000C1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C781B	0_2_000C781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A7920	0_2_000A7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B997D	0_2_000B997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C7A4A	0_2_000C7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C7CA7	0_2_000C7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0012BE44	0_2_0012BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D9EEE	0_2_000D9EEE
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000018A6233A872	18_2_0000018A6233A872
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000018A62333B37	18_2_0000018A62333B37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000018A6233A8B2	18_2_0000018A6233A8B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000018A6233AF9C	18_2_0000018A6233AF9C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000A9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000BF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000C0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001137B5 GetLastError,FormatMessageW,

0_2_001137B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001010BF AdjustTokenPrivileges,CloseHandle,		0_2_001010BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001016C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001151CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0010D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0010D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0011648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0011648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000A42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2447939951.00000162C0D40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2448254150.00000162C0CF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2466722132.00000162C0CF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2510599625.00000162C0D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	Virustotal: Detection: 23%
Source: file.exe	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2200 -prefMapHandle 2192 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b81855ed-d965-4fdf-8e94-63f103592f59} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162a4c70b10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -parentBuildID 20230927232528 -prefsHandle 2148 -prefMapHandle 3980 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c19d47-4226-4162-bf4f-a9cc946d4c3b} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162b64d0010 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 2928 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db75d719-a1f1-4453-b1fb-183b70aadf76} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162c0d38d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2200 -prefMapHandle 2192 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b81855ed-d965-4fdf-8e94-63f103592f59} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162a4c70b10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -parentBuildID 20230927232528 -prefsHandle 2148 -prefMapHandle 3980 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c19d47-4226-4162-bf4f-a9cc946d4c3b} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162b64d0010 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 2928 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db75d719-a1f1-4453-b1fb-183b70aadf76} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162c0d38d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2474370676.00000162B9101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2481446218.00000162B2768000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2481446218.00000162B2768000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2474370676.00000162B9101000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000A42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000C0A76 push ecx; ret

0_2_000C0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_000BF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00131C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00131C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96008

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_0000018A6233A872 rdtsc

18_2_0000018A6233A872

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0010DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0010DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000DC2A2 FindFirstFileExW,	0_2_000DC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001168EE FindFirstFileW,FindClose,	0_2_001168EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0011698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0011698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0010D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0010D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0010D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0010D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00119642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00119642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0011979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0011979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00119B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00119B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00115C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00115C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000A42DE

Source: file.exe, 00000000.00000002.2347106077.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2344472612.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2341976300.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340977657.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWYI
Source: firefox.exe, 00000010.00000002.3502438462.000001FA6FB40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3496863562.000001FA6F3AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3501970381.0000018A628C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3496835184.0000018A6208A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3496460091.000001CACA87A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3501431514.000001CACAC00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3501651168.000001FA6F718000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3502438462.000001FA6FB40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3496863562.000001FA6F3AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3501970381.0000018A628C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_0000018A6233A872 rdtsc

18_2_0000018A6233A872

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0011EAA2 BlockInput,

0_2_0011EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000D2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000A42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000C4CE8 mov eax, dword ptr fs:[00000030h]

0_2_000C4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00100B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00100B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000D2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000C083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C09D5 SetUnhandledExceptionFilter,	0_2_000C09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000C0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00101201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000E2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000E2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0010B226 SendInput,keybd_event,

0_2_0010B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001222DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00100B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00101663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00101663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000C0698 cpuid

0_2_000C0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FD21C GetLocalTime,

0_2_000FD21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FD27A GetUserNameW,

0_2_000FD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_000DB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000A42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6796, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6796, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00121204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00121204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00121806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00121806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	24%	Virustotal		Browse
file.exe	29%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.17.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3497569962.0000018A622C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3497061291.000001CACAAC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2500474524.00000162B7611000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2463937903.00000162B6125000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2464851527.00000162B6108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381668737.00000162B521B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2405809981.00000162B521B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2444868275.00000162B521F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000014.00000002.3497061291.000001CACAA8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2493728621.00000162BD552000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2451460047.00000162BD3DB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2463937903.00000162B6150000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2303069755.00000162B4C52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301421393.00000162B4C0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301614843.00000162B4C31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300896679.00000162B2900000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2507508521.00000162B67AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2506592713.00000162B7088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2516398978.00000162B7088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2524662563.00000162B678E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2507508521.00000162B678E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2462781688.00000162B707C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2510763419.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447939951.00000162C0D6C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2454694442.00000162BCEF6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2494907217.00000162BCFC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2519723421.00000162BCFC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2452898642.00000162BCFC5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2455311872.00000162BCE2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2523347897.00000162B70EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2505124248.00000162B70EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303069755.00000162B4C52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301421393.00000162B4C0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301614843.00000162B4C31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2462382725.00000162B70EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300896679.00000162B2900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2521807764.00000162B8C4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2432666032.00000162B7348000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2499954530.00000162B800F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2457280898.00000162B800F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2301421393.00000162B4C0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301614843.00000162B4C31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300896679.00000162B2900000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.2358408798.00000162B5BF7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2521858347.00000162B869F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2463576346.00000162B64B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356942245.00000162B64B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2451460047.00000162BD3DB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://ac	firefox.exe, 00000010.00000002.3501175846.000001FA6F6A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2467006394.00000162C0C61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2366246522.00000162B6FB6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2466959458.00000162C0CAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2446554223.00000162C12C0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2466959458.00000162C0CAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3497569962.0000018A6220A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3497061291.000001CACAA0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2379994726.00000162B5237000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2405558163.00000162B5268000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381857284.00000162B524A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404692298.00000162B525F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2452349314.00000162BD3A6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2493728621.00000162BD552000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2467006394.00000162C0C61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3497569962.0000018A622C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3497061291.000001CACAAC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2469211079.00000162B8C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2521703607.00000162B8C58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2380686063.00000162B5233000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://acZ1	firefox.exe, 00000014.00000002.3501087325.000001CACABF0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2488292668.00000162B71DF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2467006394.00000162C0C61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2507508521.00000162B67AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2523484568.00000162B70D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2505519111.00000162B70D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2462680085.00000162B70CF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2511228290.00000162BEB22000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2446554223.00000162C12C5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2451460047.00000162BD3DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2455311872.00000162BCE3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3497569962.0000018A62212000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3497061291.000001CACAA13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2493728621.00000162BD552000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/connection-not-secure	firefox.exe, 0000000E.00000003.2463859501.00000162B61FA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2454694442.00000162BCEF6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2507291443.00000162B6EF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2524407785.00000162B6EF4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2372857216.00000162B712F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2367272791.00000162B71D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312789173.00000162B4F9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364104536.00000162B71F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2439752879.00000162B52DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2526068862.00000162B64B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2496594095.00000162BCEA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2452898642.00000162BCFB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2550541048.00000162B52EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2496115557.00000162BCF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2425283736.00000162B6FB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2488292668.00000162B71DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2487690968.00000162B7349000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2508319796.00000162B65E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364104536.00000162B7137000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2367272791.00000162B71E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2454961592.00000162BCEA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2498687030.00000162B810E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2442290338.00000162B71E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2500474524.00000162B76C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2407666830.00000162B57E0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2356942245.00000162B6417000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2454513653.00000162BCF0F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2454513653.00000162BCF0F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2507291443.00000162B6EF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2524407785.00000162B6EF4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2494907217.00000162BCFC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2519723421.00000162BCFC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2452898642.00000162BCFC5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2493728621.00000162BD55F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2518942696.00000162BD55F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2494907217.00000162BCFC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2519723421.00000162BCFC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2452898642.00000162BCFC5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2464888991.00000162B60E3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2459673347.00000162B72E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2501839812.00000162B72E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2470064120.00000162B72E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2468606283.00000162B8CCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2520537087.00000162B8CCC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2381857284.00000162B525D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379994726.00000162B5237000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2405558163.00000162B5268000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381857284.00000162B524A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379994726.00000162B525D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404692298.00000162B525F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2467006394.00000162C0C61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://acg	firefox.exe, 00000012.00000002.3501543998.0000018A62390000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2511228290.00000162BEB22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2493728621.00000162BD552000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2516492754.00000162C1226000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2447399853.00000162C0DE3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2300896679.00000162B2900000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2303069755.00000162B4C52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301421393.00000162B4C0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301614843.00000162B4C31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2524269617.00000162B7071000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2506992022.00000162B7071000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300896679.00000162B2900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2432666032.00000162B7348000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2454694442.00000162BCEF6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3501053572.000001FA6F650000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3497093274.0000018A620C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3500934524.000001CACAB40000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574233
Start date and time:	2024-12-13 06:31:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.228.225.150, 35.85.93.176, 54.213.181.160, 142.250.181.106, 172.217.17.46, 88.221.134.155, 88.221.134.209, 13.107.246.63, 23.218.208.109, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:32:29	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
dyna.wikimedia.org	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.121.53
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	http://sourceforge.net/projects/nircmd/files/nircmd-x64.zip/download	Get hash	malicious	Unknown	Browse	34.117.77.79
ATGS-MMD-ASUS	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.252.209.208
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	56.211.75.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.2.87.119
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.64.214.188
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.252.209.208
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	56.211.75.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.2.87.119
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.64.214.188
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_86d3d877-35d6-4999-9461-8958b432b14f.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.176561951706109
Encrypted:	false
SSDEEP:	192:gBMXzP4cbhbVbTbfbRbObtbyEl7nQrSJA6unSrDtTkdxSofF:giUcNhnzFSJwrB1nSrDhkdxB
MD5:	0015C7C6847BEBBCE1C6358D5B8D394C
SHA1:	5B7D142E23DA21230112E55CD0683BB46B2F9B9D
SHA-256:	69F8A5A13C428BBD82635164420FA7478B5578A1DABC371B6E397FACBDB76919
SHA-512:	3842927C76516D49FF3145AB0ACF44630D3835516A3F36718920AEE7A42A6480C0874ED7B105FE3ACA2AC11EE9D909EAAC0A5361B52886BC39872C3BFD4FB81D
Malicious:	false
Preview:	{"type":"uninstall","id":"86d3d877-35d6-4999-9461-8958b432b14f","creationDate":"2024-12-13T07:18:15.053Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_86d3d877-35d6-4999-9461-8958b432b14f.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.176561951706109
Encrypted:	false
SSDEEP:	192:gBMXzP4cbhbVbTbfbRbObtbyEl7nQrSJA6unSrDtTkdxSofF:giUcNhnzFSJwrB1nSrDhkdxB
MD5:	0015C7C6847BEBBCE1C6358D5B8D394C
SHA1:	5B7D142E23DA21230112E55CD0683BB46B2F9B9D
SHA-256:	69F8A5A13C428BBD82635164420FA7478B5578A1DABC371B6E397FACBDB76919
SHA-512:	3842927C76516D49FF3145AB0ACF44630D3835516A3F36718920AEE7A42A6480C0874ED7B105FE3ACA2AC11EE9D909EAAC0A5361B52886BC39872C3BFD4FB81D
Malicious:	false
Preview:	{"type":"uninstall","id":"86d3d877-35d6-4999-9461-8958b432b14f","creationDate":"2024-12-13T07:18:15.053Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.93004609135462
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLVJ8P:gXiNFS+OcUGOdwiOdwBjkYLVJ8P
MD5:	FF46FC04568D789B6C6206AFDA688440
SHA1:	5798DE6D0FBB1B95DC22D5C1377A650C0F18AC4E
SHA-256:	39ACDA936B040CFB094D01277DCE8AF9AE279F5323C93ABB22EDCD8460959CD2
SHA-512:	B0E0A05F1477AB6D6CF566C90B8FB40A60DFD2C39DC6577071B54BAF898D803FD774AAFD502988B8FB45F38F3BE5FC9F1DED25CB784B1C46658B958A3259552E
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.93004609135462
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLVJ8P:gXiNFS+OcUGOdwiOdwBjkYLVJ8P
MD5:	FF46FC04568D789B6C6206AFDA688440
SHA1:	5798DE6D0FBB1B95DC22D5C1377A650C0F18AC4E
SHA-256:	39ACDA936B040CFB094D01277DCE8AF9AE279F5323C93ABB22EDCD8460959CD2
SHA-512:	B0E0A05F1477AB6D6CF566C90B8FB40A60DFD2C39DC6577071B54BAF898D803FD774AAFD502988B8FB45F38F3BE5FC9F1DED25CB784B1C46658B958A3259552E
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333858257979299
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkid:DLhesh7Owd4+ji
MD5:	B34022C9AD6B6CB0ADBF51DE60563D64
SHA1:	A2F01B1F1A831C37590BE66DF69E0C3FC0A3CBC9
SHA-256:	1E2C66ED1BDC57C8EC46DD0F09C5FAD6243E119585A65D93EC227D1175093A01
SHA-512:	6E16432E2EEC33EAAE734CDFB4F39B18D828F0D8E996DAAA8CD30EF9DC39774B54F5AD71784A7D389A5786BDBFB9CC9BE480B0860F7A6000BDEEF48013E2F3F5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03527901201715328
Encrypted:	false
SSDEEP:	3:GtlstF45LwSwnKWgPlstF45LwSwnKWPlL89//alEl:GtWt65LqwWt65LqPx89XuM
MD5:	36B774AC930DA0EA21152064C5F4296D
SHA1:	7300164EC6D29F3BA180FEC26B087ADC9975DD00
SHA-256:	7C0242F5430985179A0404F5FF2C04AF3A6E0AEB5DB247A914BDBD41FBD4CDB4
SHA-512:	283235B3F19E74EC0BD43BD45FFBB8167607892AD52A3CED79C653AC709149068471A580FBB7A07C3E13D138E9BD3BEE5A66CAC84A00C58187D4D9ED6F7E2523
Malicious:	false
Preview:	..-.....................o.Go.3..W......od..h..-.....................o.Go.3..W......od..h........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03498508914487779
Encrypted:	false
SSDEEP:	3:Ol1vXe21dtofYjvg8LFf5SrV//mwl8XW3R2:KxbXPg8pEpuw93w
MD5:	560A1EC0F3102CE4E2FE20F925B5C9BB
SHA1:	63C14675669A3F3EE07A0EB70539C15CC74EDA7D
SHA-256:	50ED0DCEDCD1A04A7B253334D859784E9FEB494320F019E6E5033FCD88792B01
SHA-512:	5216B2E02C7BF4BDE30AC5DA26F326F85A4C752790F75AED4B4D6EDABF1B217D3F0DA9584D2D3ED43C604F359740210627345EFA26568181B1FB49B6C47DB932
Malicious:	false
Preview:	7....-............W....-y...^...........W....oG.o3*..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.466658477956463
Encrypted:	false
SSDEEP:	192:hnTFTRRUYbBp6WLZNMGaXm6qU4NPzy+/3/7pfE5RYiNBw8d0Sl:xKePFNMpWryCedw/0
MD5:	D7EE2F3CD51F5B78A2E14E9BA5A3CADF
SHA1:	C29FFFDF9A9A7B540765666BC022430527CDCEEF
SHA-256:	313407076AFE1ED0C96AF4CD088AB6EEDD100028BC868D87B5599F7E4684EDC2
SHA-512:	664D3423AE468910BF0074F1E9ED614F3AE6565F3810F343716236E1248884E3DC938012C34FE8B9D78D8E7D6B478B94CD9CE3BFEA6C1761D574BD9C89E40C1E
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734074265);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734074265);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734074265);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173407

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.466658477956463
Encrypted:	false
SSDEEP:	192:hnTFTRRUYbBp6WLZNMGaXm6qU4NPzy+/3/7pfE5RYiNBw8d0Sl:xKePFNMpWryCedw/0
MD5:	D7EE2F3CD51F5B78A2E14E9BA5A3CADF
SHA1:	C29FFFDF9A9A7B540765666BC022430527CDCEEF
SHA-256:	313407076AFE1ED0C96AF4CD088AB6EEDD100028BC868D87B5599F7E4684EDC2
SHA-512:	664D3423AE468910BF0074F1E9ED614F3AE6565F3810F343716236E1248884E3DC938012C34FE8B9D78D8E7D6B478B94CD9CE3BFEA6C1761D574BD9C89E40C1E
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734074265);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734074265);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734074265);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173407

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.330632283975067
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSd2ioLXnIg6t/pnxQwRlszT5sKLP3eHVvwKXTmamhujJmyOOxmOmab:GUpOx9TCnR6j3eNwCTm4JNKRhW
MD5:	851AA1722EE10B25630D31DC502A477F
SHA1:	02F631D8645A6502236639C79A0F17841A6C2EC5
SHA-256:	C6CE7577B7449F64CB81C82E51012EA60C6A7580F13373861DF078DE7100C4BE
SHA-512:	EB1FE89134FA29751734621FE8B080583F483064EE6722AF09862B71ADB6B17B86BB02C8833AE7CCE2BCA361113239C0206232711D40967734CA06132EF69F8E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c44004b1-6371-4776-8d9f-e8decc82c6be}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734074270138,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0346...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...41098,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.330632283975067
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSd2ioLXnIg6t/pnxQwRlszT5sKLP3eHVvwKXTmamhujJmyOOxmOmab:GUpOx9TCnR6j3eNwCTm4JNKRhW
MD5:	851AA1722EE10B25630D31DC502A477F
SHA1:	02F631D8645A6502236639C79A0F17841A6C2EC5
SHA-256:	C6CE7577B7449F64CB81C82E51012EA60C6A7580F13373861DF078DE7100C4BE
SHA-512:	EB1FE89134FA29751734621FE8B080583F483064EE6722AF09862B71ADB6B17B86BB02C8833AE7CCE2BCA361113239C0206232711D40967734CA06132EF69F8E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c44004b1-6371-4776-8d9f-e8decc82c6be}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734074270138,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0346...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...41098,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.330632283975067
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSd2ioLXnIg6t/pnxQwRlszT5sKLP3eHVvwKXTmamhujJmyOOxmOmab:GUpOx9TCnR6j3eNwCTm4JNKRhW
MD5:	851AA1722EE10B25630D31DC502A477F
SHA1:	02F631D8645A6502236639C79A0F17841A6C2EC5
SHA-256:	C6CE7577B7449F64CB81C82E51012EA60C6A7580F13373861DF078DE7100C4BE
SHA-512:	EB1FE89134FA29751734621FE8B080583F483064EE6722AF09862B71ADB6B17B86BB02C8833AE7CCE2BCA361113239C0206232711D40967734CA06132EF69F8E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c44004b1-6371-4776-8d9f-e8decc82c6be}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734074270138,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0346...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...41098,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009376347917391
Encrypted:	false
SSDEEP:	48:YrSAYOBHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycUCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	9B64BA6E11094543194D8F70AFBB880E
SHA1:	5385B8EA3EF5641F4751FED4CF622C25E1E54BED
SHA-256:	5C3A3C4DF1BA5635E66564BF6EB9EC7B7B7627A31AB2DBC3AFE61F0508F8CD20
SHA-512:	8D641B624D4D36834B35C7CC88DD3E9B849D05D024B7E2F03745893BE244724218131C74D41C0A31B62A1B31FBF7F8F30D8797530328EDE4E6F2233C9DAB2BA5
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T07:17:34.040Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009376347917391
Encrypted:	false
SSDEEP:	48:YrSAYOBHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycUCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	9B64BA6E11094543194D8F70AFBB880E
SHA1:	5385B8EA3EF5641F4751FED4CF622C25E1E54BED
SHA-256:	5C3A3C4DF1BA5635E66564BF6EB9EC7B7B7627A31AB2DBC3AFE61F0508F8CD20
SHA-512:	8D641B624D4D36834B35C7CC88DD3E9B849D05D024B7E2F03745893BE244724218131C74D41C0A31B62A1B31FBF7F8F30D8797530328EDE4E6F2233C9DAB2BA5
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T07:17:34.040Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.70753871481993
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	972'288 bytes
MD5:	e065205fc134566fda736ccc9be37e12
SHA1:	ee67f894363f08641cc5776c221f506f655f3974
SHA256:	d9fa5d9c0c146db63a04997489362a3991095598941556880dbc5a2d22cc6c35
SHA512:	411dbbf6fe7451e6bb92d3666efb53ccbdf84380781ea657d7042b0d5837bd1c704c16f14f3891b242d7fdf36e47fa108ac938531a4c3c2332f8d9f27469a4cd
SSDEEP:	24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8aZGFh:5TvC/MTQYxsWR7aZGF
TLSH:	18259E0273D1C062FFAB92334F5AF6515BBC69260123A61F13A81D7ABD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BC499 [Fri Dec 13 05:22:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F2B3C701AE3h
jmp 00007F2B3C7013EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2B3C7015CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2B3C70159Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2B3C70418Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2B3C7041D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2B3C7041C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x16a90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x16a90	0x16c00	f93a5fed5a55f5ece9222da2540473f3	False	0.7071171016483516	data	7.199124540720954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xdc12	data			1.0004615002307502
RT_GROUP_ICON	0xea510	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea588	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea59c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea5b0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea5c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea6a0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 06:32:27.163670063 CET	49741	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:27.163717031 CET	443	49741	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:27.163935900 CET	49742	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:27.163988113 CET	443	49742	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:27.165255070 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:27.165855885 CET	49741	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:27.166063070 CET	49742	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:27.171339989 CET	49741	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:27.171360970 CET	443	49741	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:27.175863981 CET	49742	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:27.175889969 CET	443	49742	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:27.176321983 CET	49744	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:27.176348925 CET	443	49744	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:27.177041054 CET	49744	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:27.178873062 CET	49744	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:27.178891897 CET	443	49744	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:27.284996033 CET	80	49743	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:27.289120913 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:27.289366961 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:27.409070969 CET	80	49743	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:28.113312006 CET	49750	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:28.113367081 CET	443	49750	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:28.113557100 CET	49750	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:28.115010023 CET	49750	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:28.115026951 CET	443	49750	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:28.364840984 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:28.364885092 CET	443	49752	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:28.365039110 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:28.365180016 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:28.365187883 CET	443	49752	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:28.376012087 CET	80	49743	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:28.399331093 CET	443	49744	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:28.399406910 CET	49744	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:28.407358885 CET	49744	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:28.407375097 CET	443	49744	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:28.407480955 CET	49744	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:28.407629013 CET	443	49744	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:28.407691002 CET	49744	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:28.423551083 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:28.457220078 CET	49753	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:28.457247972 CET	443	49753	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:28.457480907 CET	49753	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:28.458966017 CET	49753	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:28.458980083 CET	443	49753	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:28.487274885 CET	49754	443	192.168.2.6	34.160.144.191
Dec 13, 2024 06:32:28.487343073 CET	443	49754	34.160.144.191	192.168.2.6
Dec 13, 2024 06:32:28.487498999 CET	49754	443	192.168.2.6	34.160.144.191
Dec 13, 2024 06:32:28.487643957 CET	49754	443	192.168.2.6	34.160.144.191
Dec 13, 2024 06:32:28.487674952 CET	443	49754	34.160.144.191	192.168.2.6
Dec 13, 2024 06:32:28.631119013 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:28.750823975 CET	80	49743	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:28.774949074 CET	49755	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:28.889873028 CET	443	49741	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:28.890122890 CET	49741	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.890872955 CET	443	49741	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:28.891026020 CET	49741	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.894630909 CET	80	49755	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:28.894855022 CET	49755	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:28.895209074 CET	49755	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:28.895757914 CET	49741	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.895766020 CET	443	49741	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:28.895857096 CET	49741	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.896008968 CET	443	49742	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:28.896095037 CET	49742	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.896120071 CET	443	49741	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:28.896174908 CET	49741	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.898515940 CET	443	49742	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:28.898581982 CET	49742	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.902815104 CET	49742	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.902822971 CET	443	49742	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:28.902997971 CET	49742	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.903450012 CET	443	49742	142.250.181.110	192.168.2.6
Dec 13, 2024 06:32:28.903508902 CET	49742	443	192.168.2.6	142.250.181.110
Dec 13, 2024 06:32:28.961393118 CET	80	49743	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:29.003240108 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:29.014878988 CET	80	49755	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:29.053858995 CET	49755	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:29.214148998 CET	80	49755	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:29.322911978 CET	49757	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:29.368187904 CET	443	49750	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:29.368262053 CET	49750	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:29.373418093 CET	49750	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:29.373431921 CET	443	49750	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:29.373507977 CET	49750	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:29.373730898 CET	443	49750	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:29.373794079 CET	49750	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:29.442650080 CET	80	49757	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:29.442724943 CET	49757	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:29.442890882 CET	49757	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:29.466969967 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:29.563044071 CET	80	49757	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:29.586752892 CET	80	49743	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:29.594050884 CET	443	49752	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:29.603343964 CET	443	49752	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:29.603851080 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:29.607541084 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:29.607554913 CET	443	49752	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:29.607865095 CET	443	49752	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:29.611823082 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:29.611911058 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:29.612216949 CET	443	49752	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:29.616868019 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:29.616888046 CET	49752	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:29.717283964 CET	443	49753	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:29.717349052 CET	49753	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:29.721672058 CET	49753	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:29.721678972 CET	443	49753	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:29.721765995 CET	49753	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:29.721890926 CET	443	49753	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:29.722071886 CET	49753	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:29.735979080 CET	443	49754	34.160.144.191	192.168.2.6
Dec 13, 2024 06:32:29.736052990 CET	49754	443	192.168.2.6	34.160.144.191
Dec 13, 2024 06:32:29.738995075 CET	49754	443	192.168.2.6	34.160.144.191
Dec 13, 2024 06:32:29.739006042 CET	443	49754	34.160.144.191	192.168.2.6
Dec 13, 2024 06:32:29.739372015 CET	443	49754	34.160.144.191	192.168.2.6
Dec 13, 2024 06:32:29.741420984 CET	49754	443	192.168.2.6	34.160.144.191
Dec 13, 2024 06:32:29.741488934 CET	49754	443	192.168.2.6	34.160.144.191
Dec 13, 2024 06:32:29.741595030 CET	443	49754	34.160.144.191	192.168.2.6
Dec 13, 2024 06:32:29.741642952 CET	49754	443	192.168.2.6	34.160.144.191
Dec 13, 2024 06:32:29.781486988 CET	80	49743	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:29.786021948 CET	80	49755	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:29.786077976 CET	49755	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:29.824513912 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.009408951 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.014328003 CET	49757	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.129422903 CET	80	49743	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:30.141041994 CET	49743	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.174225092 CET	80	49757	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:30.333383083 CET	80	49757	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:30.344280958 CET	49757	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.432857037 CET	49763	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:30.432904005 CET	443	49763	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:30.435148001 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.435379982 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.443111897 CET	49763	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:30.444622993 CET	49763	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:30.444642067 CET	443	49763	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:30.554847956 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:30.555058956 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:30.558654070 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.558691978 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.558850050 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.558962107 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:30.678527117 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:30.678631067 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:31.644553900 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:31.645620108 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:31.663698912 CET	443	49763	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:31.663716078 CET	443	49763	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:31.663781881 CET	49763	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:31.669167995 CET	49763	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:31.669178009 CET	443	49763	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:31.669272900 CET	49763	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:31.669353008 CET	443	49763	34.117.188.166	192.168.2.6
Dec 13, 2024 06:32:31.669425964 CET	49763	443	192.168.2.6	34.117.188.166
Dec 13, 2024 06:32:31.686235905 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:31.705504894 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:33.128557920 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:33.130517006 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:33.131617069 CET	49773	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:33.131686926 CET	443	49773	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:33.133027077 CET	49773	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:33.134449959 CET	49773	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:33.134471893 CET	443	49773	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:33.248224020 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:33.250245094 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:33.277663946 CET	49774	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:33.277712107 CET	443	49774	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:33.285408020 CET	49774	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:33.291512966 CET	49774	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:33.291524887 CET	443	49774	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:33.292645931 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:33.292684078 CET	443	49775	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:33.292927980 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:33.310412884 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:33.310431004 CET	443	49775	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:33.442786932 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:33.444147110 CET	49776	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:33.444197893 CET	443	49776	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:33.444817066 CET	49776	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:33.445183992 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:33.446548939 CET	49776	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:33.446566105 CET	443	49776	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:33.485734940 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:33.505811930 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:34.358623981 CET	443	49773	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:34.358716965 CET	49773	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:34.363852024 CET	49773	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:34.363867998 CET	443	49773	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:34.363950014 CET	49773	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:34.364088058 CET	443	49773	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:34.364145041 CET	49773	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:34.513030052 CET	443	49774	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:34.513046026 CET	443	49774	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:34.513154984 CET	49774	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:34.517591953 CET	49774	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:34.517610073 CET	443	49774	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:34.517677069 CET	49774	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:34.517808914 CET	443	49774	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:34.517894983 CET	49774	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:34.522885084 CET	443	49775	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:34.522969007 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:34.525525093 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:34.525532961 CET	443	49775	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:34.525877953 CET	443	49775	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:34.527502060 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:34.527576923 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:34.527682066 CET	443	49775	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:34.527761936 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:34.527777910 CET	49775	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:34.663229942 CET	443	49776	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:34.663311005 CET	49776	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:34.667331934 CET	49776	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:34.667354107 CET	443	49776	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:34.667398930 CET	49776	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:34.667489052 CET	443	49776	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:34.667545080 CET	49776	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:39.065844059 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:39.074637890 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:39.185519934 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:39.194457054 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:39.386413097 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:39.389462948 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:39.430596113 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:39.430783033 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:39.572763920 CET	49794	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.572819948 CET	443	49794	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:39.573091030 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.573144913 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:39.573863983 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.573867083 CET	49794	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.573982000 CET	49794	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.573992968 CET	443	49794	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:39.575474024 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.575495005 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:39.584738016 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.584798098 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:39.588686943 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.588797092 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:39.588809013 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:39.778038979 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:39.897919893 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:40.092632055 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:40.148253918 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:40.788098097 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.788178921 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.792829990 CET	443	49794	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.792967081 CET	49794	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.799199104 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.811332941 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.815666914 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.897315979 CET	49794	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.897337914 CET	443	49794	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.897696018 CET	443	49794	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.899590969 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.899606943 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.899935961 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.918695927 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.918711901 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.918771029 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.919015884 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.919171095 CET	49794	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.919230938 CET	49794	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.919441938 CET	443	49794	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.919543982 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.919719934 CET	49794	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.950570107 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.961179972 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.961266041 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:40.961436987 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:40.962961912 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:41.552848101 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:41.555048943 CET	49803	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:41.555089951 CET	443	49803	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:41.555672884 CET	49803	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:41.557145119 CET	49803	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:41.557159901 CET	443	49803	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:41.672775030 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:41.875462055 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:41.924211979 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:42.770418882 CET	443	49803	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:42.770502090 CET	49803	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:43.365164042 CET	49803	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:43.365205050 CET	443	49803	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:43.365267038 CET	49803	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:43.365489960 CET	443	49803	34.120.208.123	192.168.2.6
Dec 13, 2024 06:32:43.370163918 CET	49803	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:32:43.432470083 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:43.531351089 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:43.552164078 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:43.843403101 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:43.921427011 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:43.921834946 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:43.922712088 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:43.963171959 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:43.974939108 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:43.974967957 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:45.157373905 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:45.174835920 CET	49810	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:45.174901009 CET	443	49810	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:45.175848007 CET	49810	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:45.177227020 CET	49810	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:45.177253962 CET	443	49810	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:45.277112007 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:45.471621990 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:45.526295900 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:46.403512955 CET	443	49810	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:46.403597116 CET	49810	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:46.408725023 CET	49810	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:46.408751011 CET	443	49810	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:46.408817053 CET	49810	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:46.408896923 CET	443	49810	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:46.409017086 CET	49810	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:46.411206961 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:46.530951023 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:46.725876093 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:46.728523970 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:46.783216953 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:46.848351955 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:47.043220043 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:47.101538897 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:47.631247997 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:47.750955105 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:47.946008921 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:47.950658083 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:47.986821890 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:48.070514917 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:48.265059948 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:48.318269968 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:52.308653116 CET	49831	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:52.308705091 CET	443	49831	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:52.309186935 CET	49831	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:52.309469938 CET	49831	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:52.309485912 CET	443	49831	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:52.315565109 CET	49832	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:52.315619946 CET	443	49832	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:52.323964119 CET	49832	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:52.324176073 CET	49832	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:52.324197054 CET	443	49832	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:52.326945066 CET	49833	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:52.326991081 CET	443	49833	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:52.330450058 CET	49833	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:52.332458973 CET	49833	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:52.332494974 CET	443	49833	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:52.456963062 CET	49834	443	192.168.2.6	151.101.129.91
Dec 13, 2024 06:32:52.457007885 CET	443	49834	151.101.129.91	192.168.2.6
Dec 13, 2024 06:32:52.469616890 CET	49834	443	192.168.2.6	151.101.129.91
Dec 13, 2024 06:32:52.469780922 CET	49834	443	192.168.2.6	151.101.129.91
Dec 13, 2024 06:32:52.469794989 CET	443	49834	151.101.129.91	192.168.2.6
Dec 13, 2024 06:32:52.637582064 CET	49835	443	192.168.2.6	35.201.103.21
Dec 13, 2024 06:32:52.637643099 CET	443	49835	35.201.103.21	192.168.2.6
Dec 13, 2024 06:32:52.637787104 CET	49835	443	192.168.2.6	35.201.103.21
Dec 13, 2024 06:32:52.639403105 CET	49835	443	192.168.2.6	35.201.103.21
Dec 13, 2024 06:32:52.639420033 CET	443	49835	35.201.103.21	192.168.2.6
Dec 13, 2024 06:32:53.520406008 CET	443	49831	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.520498037 CET	49831	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.524151087 CET	49831	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.524163008 CET	443	49831	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.524405003 CET	443	49831	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.526468992 CET	49831	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.526597023 CET	49831	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.526607990 CET	443	49831	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.527122021 CET	49831	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.532542944 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:53.537404060 CET	443	49832	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:53.537417889 CET	443	49832	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:53.537503958 CET	49832	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:53.541012049 CET	49832	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:53.541028976 CET	443	49832	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:53.541277885 CET	443	49832	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:53.543772936 CET	49832	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:53.543880939 CET	49832	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:53.543916941 CET	443	49832	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:53.544086933 CET	49832	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:53.546448946 CET	443	49833	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:53.546595097 CET	49833	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:53.550755978 CET	49833	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:53.550769091 CET	443	49833	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:53.550857067 CET	49833	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:53.550998926 CET	443	49833	35.190.72.216	192.168.2.6
Dec 13, 2024 06:32:53.551551104 CET	49833	443	192.168.2.6	35.190.72.216
Dec 13, 2024 06:32:53.652319908 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:53.683552980 CET	443	49834	151.101.129.91	192.168.2.6
Dec 13, 2024 06:32:53.683574915 CET	443	49834	151.101.129.91	192.168.2.6
Dec 13, 2024 06:32:53.683697939 CET	49834	443	192.168.2.6	151.101.129.91
Dec 13, 2024 06:32:53.687449932 CET	49834	443	192.168.2.6	151.101.129.91
Dec 13, 2024 06:32:53.687463999 CET	443	49834	151.101.129.91	192.168.2.6
Dec 13, 2024 06:32:53.687810898 CET	443	49834	151.101.129.91	192.168.2.6
Dec 13, 2024 06:32:53.690530062 CET	49834	443	192.168.2.6	151.101.129.91
Dec 13, 2024 06:32:53.690644026 CET	49834	443	192.168.2.6	151.101.129.91
Dec 13, 2024 06:32:53.690710068 CET	443	49834	151.101.129.91	192.168.2.6
Dec 13, 2024 06:32:53.700036049 CET	49834	443	192.168.2.6	151.101.129.91
Dec 13, 2024 06:32:53.703576088 CET	49836	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.703619957 CET	443	49836	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.707349062 CET	49837	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.707405090 CET	443	49837	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.707814932 CET	49836	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.707961082 CET	49836	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.707962036 CET	49837	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.707972050 CET	443	49836	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.708107948 CET	49837	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.708117962 CET	443	49837	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.710472107 CET	49838	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.710485935 CET	443	49838	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.710647106 CET	49838	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.710764885 CET	49838	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:53.710773945 CET	443	49838	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:53.847069025 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:53.850428104 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:53.857110977 CET	443	49835	35.201.103.21	192.168.2.6
Dec 13, 2024 06:32:53.857389927 CET	49835	443	192.168.2.6	35.201.103.21
Dec 13, 2024 06:32:53.861818075 CET	49835	443	192.168.2.6	35.201.103.21
Dec 13, 2024 06:32:53.861825943 CET	443	49835	35.201.103.21	192.168.2.6
Dec 13, 2024 06:32:53.861946106 CET	49835	443	192.168.2.6	35.201.103.21
Dec 13, 2024 06:32:53.861993074 CET	443	49835	35.201.103.21	192.168.2.6
Dec 13, 2024 06:32:53.862200022 CET	49835	443	192.168.2.6	35.201.103.21
Dec 13, 2024 06:32:53.864531040 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:53.876610994 CET	49842	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:53.876642942 CET	443	49842	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:53.876729965 CET	49842	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:53.876827955 CET	49842	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:53.876837015 CET	443	49842	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:53.970093012 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:53.984230042 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:54.164607048 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:54.179193020 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:54.182344913 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:54.225691080 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:54.302145004 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:54.496973038 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:54.542207003 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:54.925580978 CET	443	49836	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.925620079 CET	443	49837	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.925661087 CET	49836	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.925787926 CET	49837	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.925865889 CET	443	49838	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.925928116 CET	49838	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.928463936 CET	49836	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.928474903 CET	443	49836	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.928725958 CET	443	49836	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.930931091 CET	49838	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.930937052 CET	443	49838	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.931178093 CET	443	49838	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.933013916 CET	49837	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.933037043 CET	443	49837	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.933250904 CET	443	49837	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.936651945 CET	49836	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.936808109 CET	443	49836	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.936826944 CET	49836	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.936836004 CET	443	49836	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.936914921 CET	49837	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.936980009 CET	49837	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.937072039 CET	443	49837	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.937319040 CET	49838	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.937357903 CET	49838	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.937463999 CET	443	49838	35.244.181.201	192.168.2.6
Dec 13, 2024 06:32:54.937520981 CET	49837	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.937757969 CET	49836	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.937889099 CET	49838	443	192.168.2.6	35.244.181.201
Dec 13, 2024 06:32:54.943180084 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:55.062944889 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:55.089030981 CET	443	49842	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:55.089129925 CET	49842	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:55.092562914 CET	49842	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:55.092571974 CET	443	49842	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:55.092814922 CET	443	49842	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:55.095391035 CET	49842	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:55.095503092 CET	49842	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:55.095539093 CET	443	49842	34.149.100.209	192.168.2.6
Dec 13, 2024 06:32:55.096714973 CET	49842	443	192.168.2.6	34.149.100.209
Dec 13, 2024 06:32:55.257822037 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:55.260870934 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:55.306864977 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:55.380563974 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:55.575195074 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:55.629976034 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:56.484164953 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:56.484188080 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:56.484534025 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:56.485915899 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:56.485929966 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:57.701164007 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:57.701251030 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:57.706327915 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:57.706346989 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:57.706422091 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:57.706496000 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 06:32:57.706629038 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:32:57.709629059 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:57.832165003 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:58.024266005 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:58.029802084 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:58.068284988 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:32:58.149692059 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:58.344137907 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:32:58.384653091 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:08.028081894 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:08.147793055 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:08.367238045 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:08.486924887 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:18.157793999 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:18.278628111 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:18.496541023 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:18.616337061 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:18.875658989 CET	49900	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:33:18.875691891 CET	443	49900	34.107.243.93	192.168.2.6
Dec 13, 2024 06:33:18.880217075 CET	49900	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:33:18.881870031 CET	49900	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:33:18.881889105 CET	443	49900	34.107.243.93	192.168.2.6
Dec 13, 2024 06:33:20.093592882 CET	443	49900	34.107.243.93	192.168.2.6
Dec 13, 2024 06:33:20.093671083 CET	49900	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:33:20.098105907 CET	49900	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:33:20.098110914 CET	443	49900	34.107.243.93	192.168.2.6
Dec 13, 2024 06:33:20.098201036 CET	49900	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:33:20.098294973 CET	443	49900	34.107.243.93	192.168.2.6
Dec 13, 2024 06:33:20.098994017 CET	49900	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:33:20.100812912 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:20.220530033 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:20.416570902 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:20.419935942 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:20.457812071 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:20.539697886 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:20.734127045 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:20.774296045 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:22.643105030 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643163919 CET	443	49909	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.643214941 CET	49910	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643285990 CET	443	49910	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.643309116 CET	49911	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643351078 CET	443	49911	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.643512011 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643549919 CET	49913	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643567085 CET	443	49912	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.643590927 CET	443	49913	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.643754959 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643758059 CET	49910	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643765926 CET	443	49914	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.643767118 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643768072 CET	49911	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643800020 CET	49913	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643832922 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.643997908 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.644022942 CET	443	49909	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.644069910 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.644119024 CET	49913	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.644134998 CET	443	49913	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.644265890 CET	49911	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.644289970 CET	443	49911	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.644320965 CET	49910	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.644342899 CET	443	49910	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.644388914 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.644388914 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:22.644412041 CET	443	49912	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:22.644433022 CET	443	49914	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.856686115 CET	443	49914	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.856694937 CET	443	49912	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.856782913 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.857496023 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.859507084 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.859529018 CET	443	49914	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.859765053 CET	443	49914	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.861444950 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.861460924 CET	443	49912	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.861752987 CET	443	49912	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.862770081 CET	443	49909	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.863599062 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.863701105 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.863734961 CET	443	49914	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.864082098 CET	49919	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.864123106 CET	443	49919	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.864204884 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.864263058 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.864335060 CET	443	49912	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.864567041 CET	49920	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.864648104 CET	443	49920	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.867269039 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.867299080 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.867299080 CET	49914	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.867346048 CET	49912	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.867362022 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.867749929 CET	49919	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.868043900 CET	443	49911	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.868963957 CET	443	49913	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.869589090 CET	443	49910	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.870069981 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.870079041 CET	443	49909	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.870301962 CET	443	49909	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.870481014 CET	49919	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.870496035 CET	443	49919	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.871958017 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.872041941 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.872088909 CET	443	49909	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.873555899 CET	49920	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.873581886 CET	49911	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.873584986 CET	49913	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.874703884 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.874721050 CET	49909	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.874737978 CET	49910	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.876463890 CET	49911	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.876476049 CET	443	49911	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.876710892 CET	443	49911	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.878423929 CET	49913	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.878442049 CET	443	49913	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.879340887 CET	443	49913	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.880409002 CET	49910	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.880439043 CET	443	49910	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.880827904 CET	443	49910	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.881130934 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:23.881248951 CET	49920	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.881280899 CET	443	49920	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.884500980 CET	49911	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.884706020 CET	49911	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.884777069 CET	49913	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.884846926 CET	49913	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.885018110 CET	443	49911	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.885207891 CET	443	49913	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.885441065 CET	49910	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.885507107 CET	49910	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.885649920 CET	49911	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.885664940 CET	49913	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:23.885854006 CET	443	49910	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:23.885902882 CET	49910	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:24.001044035 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:24.196046114 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:24.198810101 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:24.252808094 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:24.366846085 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:24.517739058 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:24.568866968 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:25.081161976 CET	443	49919	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.081382036 CET	49919	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.084186077 CET	49919	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.084192038 CET	443	49919	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.084379911 CET	443	49919	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.086035013 CET	49919	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.086147070 CET	49919	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.086157084 CET	443	49919	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.086354017 CET	49919	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.088659048 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:25.094362974 CET	443	49920	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.094378948 CET	443	49920	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.094471931 CET	49920	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.097138882 CET	49920	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.097181082 CET	443	49920	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.097441912 CET	443	49920	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.099790096 CET	49920	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.099912882 CET	49920	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.099946976 CET	443	49920	34.120.208.123	192.168.2.6
Dec 13, 2024 06:33:25.100056887 CET	49920	443	192.168.2.6	34.120.208.123
Dec 13, 2024 06:33:25.208376884 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:25.403800964 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:25.410320997 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:25.455948114 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:25.530205965 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:25.724534035 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:25.772315025 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:35.416111946 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:35.535891056 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:35.732709885 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:35.852475882 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:45.545352936 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:45.665159941 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:45.861773968 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:45.981543064 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:55.674496889 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:55.794193029 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:33:55.991029978 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:33:56.110898018 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:34:00.469557047 CET	50003	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:34:00.469629049 CET	443	50003	34.107.243.93	192.168.2.6
Dec 13, 2024 06:34:00.469780922 CET	50003	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:34:00.471993923 CET	50003	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:34:00.472017050 CET	443	50003	34.107.243.93	192.168.2.6
Dec 13, 2024 06:34:01.684705973 CET	443	50003	34.107.243.93	192.168.2.6
Dec 13, 2024 06:34:01.684787989 CET	50003	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:34:01.691410065 CET	50003	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:34:01.691421986 CET	443	50003	34.107.243.93	192.168.2.6
Dec 13, 2024 06:34:01.691514015 CET	50003	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:34:01.691566944 CET	443	50003	34.107.243.93	192.168.2.6
Dec 13, 2024 06:34:01.692259073 CET	50003	443	192.168.2.6	34.107.243.93
Dec 13, 2024 06:34:01.695028067 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:34:01.815674067 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:34:02.011410952 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:34:02.021711111 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:34:02.062215090 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:34:02.141841888 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:34:02.336400986 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:34:02.378813028 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:34:12.022018909 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:34:12.141678095 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:34:12.341515064 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:34:12.461287975 CET	80	49764	34.107.221.82	192.168.2.6
Dec 13, 2024 06:34:22.142390013 CET	49765	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:34:22.262271881 CET	80	49765	34.107.221.82	192.168.2.6
Dec 13, 2024 06:34:22.474509954 CET	49764	80	192.168.2.6	34.107.221.82
Dec 13, 2024 06:34:22.594417095 CET	80	49764	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 06:32:27.016798019 CET	63962	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:27.018567085 CET	63138	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:27.153727055 CET	53	63962	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:27.164566994 CET	49345	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:27.166851044 CET	51292	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:27.167948008 CET	57187	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:27.301661015 CET	53	49345	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:27.302519083 CET	65439	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:27.304111004 CET	53	51292	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:27.304678917 CET	64122	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:27.405177116 CET	53	57187	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:27.409584045 CET	59518	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:27.439636946 CET	53	65439	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:27.441776037 CET	53	64122	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:27.546717882 CET	53	59518	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:27.973939896 CET	54833	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.112142086 CET	53	54833	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.113486052 CET	57943	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.251410961 CET	53	57943	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.252166986 CET	50657	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.318178892 CET	57526	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.337560892 CET	51551	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.364991903 CET	54119	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.389503002 CET	53	50657	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.456337929 CET	53	57526	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.457406998 CET	63851	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.474716902 CET	53	51551	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.487420082 CET	56513	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.595467091 CET	53	63851	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.596280098 CET	51774	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.598470926 CET	50255	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.601485968 CET	53	54119	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.602637053 CET	58319	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.626514912 CET	53	56513	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.633095980 CET	51266	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.634506941 CET	56378	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.638456106 CET	51942	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.677541018 CET	64798	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:28.733829975 CET	53	51774	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.735475063 CET	53	50255	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.769993067 CET	53	51266	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.776667118 CET	53	51942	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:28.859204054 CET	53	58319	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:29.357952118 CET	53	51999	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:30.458600044 CET	60618	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:30.596509933 CET	53	60618	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:30.598536968 CET	51336	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:30.738168001 CET	53	51336	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:30.738832951 CET	64292	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:30.876617908 CET	53	64292	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:33.107498884 CET	57511	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:33.246344090 CET	53	57511	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:33.249202013 CET	60495	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:33.272569895 CET	62230	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:33.278230906 CET	52775	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:33.410291910 CET	53	62230	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:33.416588068 CET	53	52775	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:33.444736958 CET	64871	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:33.448911905 CET	59986	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:33.563764095 CET	53	60495	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:33.564528942 CET	55434	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:33.581959963 CET	53	64871	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:33.586311102 CET	53	59986	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:33.589344025 CET	52381	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:33.727022886 CET	53	52381	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:33.793489933 CET	53	55434	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:39.065418005 CET	61232	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:39.085006952 CET	49421	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:39.221775055 CET	53	49421	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.175585985 CET	56510	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.312489986 CET	53	56510	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.379889965 CET	61297	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.379980087 CET	61746	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.516767025 CET	53	61297	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.517852068 CET	55893	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.518033028 CET	53	61746	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.518778086 CET	60879	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.591500044 CET	64788	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.655414104 CET	53	55893	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.655437946 CET	53	60879	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.656126976 CET	64764	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.656239033 CET	60855	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.728619099 CET	53	64788	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.729480982 CET	51260	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.793334961 CET	53	64764	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.793724060 CET	53	60855	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.794163942 CET	52064	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.794403076 CET	54132	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.866822958 CET	53	51260	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.867539883 CET	52388	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.931272984 CET	53	52064	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.931512117 CET	53	54132	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:45.932192087 CET	53160	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:45.932250023 CET	52598	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:46.006181002 CET	53	52388	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:46.069550991 CET	53	53160	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:46.070406914 CET	61639	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:46.147020102 CET	53	52598	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:46.147784948 CET	64570	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:46.207573891 CET	53	61639	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:46.359858036 CET	53	64570	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:52.308999062 CET	64751	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:52.311686993 CET	49533	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:52.342714071 CET	56514	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:52.448831081 CET	53	64751	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:52.449899912 CET	53	49533	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:52.457662106 CET	51233	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:52.599423885 CET	53	51233	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:52.602554083 CET	60415	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:52.635992050 CET	53	56514	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:52.637692928 CET	56054	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:52.833911896 CET	53	60415	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:52.839724064 CET	53	56054	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:52.840728045 CET	61050	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:52.978957891 CET	53	61050	1.1.1.1	192.168.2.6
Dec 13, 2024 06:32:56.484428883 CET	50480	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:32:56.621822119 CET	53	50480	1.1.1.1	192.168.2.6
Dec 13, 2024 06:33:18.724417925 CET	57878	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:33:18.861917973 CET	53	57878	1.1.1.1	192.168.2.6
Dec 13, 2024 06:33:18.880642891 CET	49194	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:33:19.017700911 CET	53	49194	1.1.1.1	192.168.2.6
Dec 13, 2024 06:33:22.643196106 CET	58313	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:33:22.782162905 CET	53	58313	1.1.1.1	192.168.2.6
Dec 13, 2024 06:33:22.784060001 CET	64033	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:33:22.921574116 CET	53	64033	1.1.1.1	192.168.2.6
Dec 13, 2024 06:34:00.469559908 CET	60534	53	192.168.2.6	1.1.1.1
Dec 13, 2024 06:34:00.607458115 CET	53	60534	1.1.1.1	192.168.2.6
Dec 13, 2024 06:34:01.695271969 CET	51722	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 06:32:27.016798019 CET	192.168.2.6	1.1.1.1	0xc984	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.018567085 CET	192.168.2.6	1.1.1.1	0x8dee	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.164566994 CET	192.168.2.6	1.1.1.1	0xba96	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.166851044 CET	192.168.2.6	1.1.1.1	0x1f98	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.167948008 CET	192.168.2.6	1.1.1.1	0xeb6e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.302519083 CET	192.168.2.6	1.1.1.1	0xa89a	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:27.304678917 CET	192.168.2.6	1.1.1.1	0xc170	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:27.409584045 CET	192.168.2.6	1.1.1.1	0xa83f	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:27.973939896 CET	192.168.2.6	1.1.1.1	0x27c2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.113486052 CET	192.168.2.6	1.1.1.1	0x9e9c	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.252166986 CET	192.168.2.6	1.1.1.1	0x2070	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:28.318178892 CET	192.168.2.6	1.1.1.1	0x47be	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.337560892 CET	192.168.2.6	1.1.1.1	0xd9b3	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.364991903 CET	192.168.2.6	1.1.1.1	0x287a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.457406998 CET	192.168.2.6	1.1.1.1	0x11a7	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.487420082 CET	192.168.2.6	1.1.1.1	0x82ba	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.596280098 CET	192.168.2.6	1.1.1.1	0xfa52	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:28.598470926 CET	192.168.2.6	1.1.1.1	0x5204	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.602637053 CET	192.168.2.6	1.1.1.1	0x6dba	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:28.633095980 CET	192.168.2.6	1.1.1.1	0xd9c9	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.634506941 CET	192.168.2.6	1.1.1.1	0xc855	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.638456106 CET	192.168.2.6	1.1.1.1	0x7a27	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:28.677541018 CET	192.168.2.6	1.1.1.1	0x3f84	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:30.458600044 CET	192.168.2.6	1.1.1.1	0x70d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:30.598536968 CET	192.168.2.6	1.1.1.1	0x5e20	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:30.738832951 CET	192.168.2.6	1.1.1.1	0x3eb2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:33.107498884 CET	192.168.2.6	1.1.1.1	0x6fea	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.249202013 CET	192.168.2.6	1.1.1.1	0x5f91	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.272569895 CET	192.168.2.6	1.1.1.1	0xb01c	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.278230906 CET	192.168.2.6	1.1.1.1	0xf87e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.444736958 CET	192.168.2.6	1.1.1.1	0x376	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.448911905 CET	192.168.2.6	1.1.1.1	0x62c4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:33.564528942 CET	192.168.2.6	1.1.1.1	0x9269	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:33.589344025 CET	192.168.2.6	1.1.1.1	0x248a	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:39.065418005 CET	192.168.2.6	1.1.1.1	0x355e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:39.085006952 CET	192.168.2.6	1.1.1.1	0x956a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:45.175585985 CET	192.168.2.6	1.1.1.1	0x51a2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:45.379889965 CET	192.168.2.6	1.1.1.1	0xb560	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.379980087 CET	192.168.2.6	1.1.1.1	0x9873	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.517852068 CET	192.168.2.6	1.1.1.1	0x37cb	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.518778086 CET	192.168.2.6	1.1.1.1	0x36ca	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.591500044 CET	192.168.2.6	1.1.1.1	0x6e31	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.656126976 CET	192.168.2.6	1.1.1.1	0x6ab1	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:45.656239033 CET	192.168.2.6	1.1.1.1	0x96df	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:45.729480982 CET	192.168.2.6	1.1.1.1	0xe553	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.794163942 CET	192.168.2.6	1.1.1.1	0x959b	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.794403076 CET	192.168.2.6	1.1.1.1	0x7d27	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.867539883 CET	192.168.2.6	1.1.1.1	0x9082	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 06:32:45.932192087 CET	192.168.2.6	1.1.1.1	0xf611	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.932250023 CET	192.168.2.6	1.1.1.1	0x702c	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:46.070406914 CET	192.168.2.6	1.1.1.1	0x562d	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:46.147784948 CET	192.168.2.6	1.1.1.1	0xc54f	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:52.308999062 CET	192.168.2.6	1.1.1.1	0xa7e6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:32:52.311686993 CET	192.168.2.6	1.1.1.1	0x552c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.342714071 CET	192.168.2.6	1.1.1.1	0xf738	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.457662106 CET	192.168.2.6	1.1.1.1	0x88d4	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.602554083 CET	192.168.2.6	1.1.1.1	0xedc0	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 06:32:52.637692928 CET	192.168.2.6	1.1.1.1	0x818a	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.840728045 CET	192.168.2.6	1.1.1.1	0xf83d	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:32:56.484428883 CET	192.168.2.6	1.1.1.1	0x87ab	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:33:18.724417925 CET	192.168.2.6	1.1.1.1	0x8466	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:33:18.880642891 CET	192.168.2.6	1.1.1.1	0x2589	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:33:22.643196106 CET	192.168.2.6	1.1.1.1	0x49c5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:33:22.784060001 CET	192.168.2.6	1.1.1.1	0xacff	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:34:00.469559908 CET	192.168.2.6	1.1.1.1	0x16e3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:34:01.695271969 CET	192.168.2.6	1.1.1.1	0x226f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 06:32:27.153727055 CET	1.1.1.1	192.168.2.6	0xc984	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.154902935 CET	1.1.1.1	192.168.2.6	0x7384	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.155832052 CET	1.1.1.1	192.168.2.6	0x8dee	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:27.155832052 CET	1.1.1.1	192.168.2.6	0x8dee	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.301661015 CET	1.1.1.1	192.168.2.6	0xba96	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.304111004 CET	1.1.1.1	192.168.2.6	0x1f98	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.405177116 CET	1.1.1.1	192.168.2.6	0xeb6e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:27.439636946 CET	1.1.1.1	192.168.2.6	0xa89a	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 06:32:27.441776037 CET	1.1.1.1	192.168.2.6	0xc170	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 06:32:28.112142086 CET	1.1.1.1	192.168.2.6	0x27c2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.251410961 CET	1.1.1.1	192.168.2.6	0x9e9c	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.363733053 CET	1.1.1.1	192.168.2.6	0xce3c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:28.363733053 CET	1.1.1.1	192.168.2.6	0xce3c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.456337929 CET	1.1.1.1	192.168.2.6	0x47be	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:28.456337929 CET	1.1.1.1	192.168.2.6	0x47be	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.474716902 CET	1.1.1.1	192.168.2.6	0xd9b3	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:28.474716902 CET	1.1.1.1	192.168.2.6	0xd9b3	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:28.474716902 CET	1.1.1.1	192.168.2.6	0xd9b3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.595467091 CET	1.1.1.1	192.168.2.6	0x11a7	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.601485968 CET	1.1.1.1	192.168.2.6	0x287a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.626514912 CET	1.1.1.1	192.168.2.6	0x82ba	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.735475063 CET	1.1.1.1	192.168.2.6	0x5204	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.769993067 CET	1.1.1.1	192.168.2.6	0xd9c9	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.769993067 CET	1.1.1.1	192.168.2.6	0xd9c9	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.771627903 CET	1.1.1.1	192.168.2.6	0xc855	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:28.771627903 CET	1.1.1.1	192.168.2.6	0xc855	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:28.776667118 CET	1.1.1.1	192.168.2.6	0x7a27	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 06:32:28.906021118 CET	1.1.1.1	192.168.2.6	0x3f84	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:30.596509933 CET	1.1.1.1	192.168.2.6	0x70d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:30.738168001 CET	1.1.1.1	192.168.2.6	0x5e20	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.246344090 CET	1.1.1.1	192.168.2.6	0x6fea	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:33.246344090 CET	1.1.1.1	192.168.2.6	0x6fea	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:33.246344090 CET	1.1.1.1	192.168.2.6	0x6fea	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.265794992 CET	1.1.1.1	192.168.2.6	0x9497	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.287924051 CET	1.1.1.1	192.168.2.6	0x3931	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:33.287924051 CET	1.1.1.1	192.168.2.6	0x3931	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.410291910 CET	1.1.1.1	192.168.2.6	0xb01c	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:33.410291910 CET	1.1.1.1	192.168.2.6	0xb01c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.416588068 CET	1.1.1.1	192.168.2.6	0xf87e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.563764095 CET	1.1.1.1	192.168.2.6	0x5f91	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:33.581959963 CET	1.1.1.1	192.168.2.6	0x376	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:39.203947067 CET	1.1.1.1	192.168.2.6	0x355e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:39.203947067 CET	1.1.1.1	192.168.2.6	0x355e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:39.221164942 CET	1.1.1.1	192.168.2.6	0x1c6e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.516767025 CET	1.1.1.1	192.168.2.6	0xb560	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.518033028 CET	1.1.1.1	192.168.2.6	0x9873	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:45.518033028 CET	1.1.1.1	192.168.2.6	0x9873	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655414104 CET	1.1.1.1	192.168.2.6	0x37cb	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.655437946 CET	1.1.1.1	192.168.2.6	0x36ca	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.728619099 CET	1.1.1.1	192.168.2.6	0x6e31	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:45.728619099 CET	1.1.1.1	192.168.2.6	0x6e31	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.793334961 CET	1.1.1.1	192.168.2.6	0x6ab1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 06:32:45.793334961 CET	1.1.1.1	192.168.2.6	0x6ab1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 06:32:45.793334961 CET	1.1.1.1	192.168.2.6	0x6ab1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 06:32:45.793334961 CET	1.1.1.1	192.168.2.6	0x6ab1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 06:32:45.793724060 CET	1.1.1.1	192.168.2.6	0x96df	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 06:32:45.866822958 CET	1.1.1.1	192.168.2.6	0xe553	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.931272984 CET	1.1.1.1	192.168.2.6	0x959b	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:45.931272984 CET	1.1.1.1	192.168.2.6	0x959b	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.931272984 CET	1.1.1.1	192.168.2.6	0x959b	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.931272984 CET	1.1.1.1	192.168.2.6	0x959b	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.931272984 CET	1.1.1.1	192.168.2.6	0x959b	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:45.931512117 CET	1.1.1.1	192.168.2.6	0x7d27	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:46.006181002 CET	1.1.1.1	192.168.2.6	0x9082	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 06:32:46.069550991 CET	1.1.1.1	192.168.2.6	0xf611	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:46.147020102 CET	1.1.1.1	192.168.2.6	0x702c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:46.147020102 CET	1.1.1.1	192.168.2.6	0x702c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:46.147020102 CET	1.1.1.1	192.168.2.6	0x702c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:46.147020102 CET	1.1.1.1	192.168.2.6	0x702c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.449899912 CET	1.1.1.1	192.168.2.6	0x552c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.449899912 CET	1.1.1.1	192.168.2.6	0x552c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.449899912 CET	1.1.1.1	192.168.2.6	0x552c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.449899912 CET	1.1.1.1	192.168.2.6	0x552c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.599423885 CET	1.1.1.1	192.168.2.6	0x88d4	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.599423885 CET	1.1.1.1	192.168.2.6	0x88d4	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.599423885 CET	1.1.1.1	192.168.2.6	0x88d4	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.599423885 CET	1.1.1.1	192.168.2.6	0x88d4	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.635992050 CET	1.1.1.1	192.168.2.6	0xf738	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:52.635992050 CET	1.1.1.1	192.168.2.6	0xf738	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:52.833911896 CET	1.1.1.1	192.168.2.6	0xedc0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 06:32:52.833911896 CET	1.1.1.1	192.168.2.6	0xedc0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 06:32:52.833911896 CET	1.1.1.1	192.168.2.6	0xedc0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 06:32:52.833911896 CET	1.1.1.1	192.168.2.6	0xedc0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 06:32:52.839724064 CET	1.1.1.1	192.168.2.6	0x818a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:32:55.718568087 CET	1.1.1.1	192.168.2.6	0xa544	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:32:55.718568087 CET	1.1.1.1	192.168.2.6	0xa544	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:33:18.861917973 CET	1.1.1.1	192.168.2.6	0x8466	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:33:22.641907930 CET	1.1.1.1	192.168.2.6	0xdac	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:33:22.782162905 CET	1.1.1.1	192.168.2.6	0x49c5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:34:01.834558010 CET	1.1.1.1	192.168.2.6	0x226f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:34:01.834558010 CET	1.1.1.1	192.168.2.6	0x226f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49743	34.107.221.82	80	5784	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:32:27.289366961 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:28.376012087 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69783 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:28.631119013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:28.961393118 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69783 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:29.466969967 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:29.781486988 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69784 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49755	34.107.221.82	80	5784	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:32:28.895209074 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49757	34.107.221.82	80	5784	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:32:29.442890882 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49764	34.107.221.82	80	5784	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:32:30.558850050 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:31.644553900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53691 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:33.128557920 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:33.442786932 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53693 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:39.065844059 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:39.386413097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53699 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:39.778038979 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:40.092632055 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53699 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:43.432470083 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:43.921834946 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53703 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:45.157373905 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:45.471621990 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53705 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:46.728523970 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:47.043220043 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53706 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:47.950658083 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:48.265059948 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53708 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:53.850428104 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:54.164607048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53714 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:54.182344913 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:54.496973038 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53714 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:55.260870934 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:55.575195074 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53715 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:32:58.029802084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:32:58.344137907 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53718 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:33:08.367238045 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:33:18.496541023 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:33:20.419935942 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:33:20.734127045 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53740 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:33:24.198810101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:33:24.517739058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53744 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:33:25.410320997 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:33:25.724534035 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53745 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:33:35.732709885 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:33:45.861773968 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:33:55.991029978 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:34:02.021711111 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:34:02.336400986 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 53782 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:34:12.341515064 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:34:22.474509954 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49765	34.107.221.82	80	5784	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:32:30.558962107 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:31.645620108 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69786 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:33.130517006 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:33.445183992 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69788 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:39.074637890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:39.389462948 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69794 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:41.552848101 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:41.875462055 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69796 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:43.531351089 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:43.843403101 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:43.922712088 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69798 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:46.411206961 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:46.725876093 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69801 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:47.631247997 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:47.946008921 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69802 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:53.532542944 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:53.847069025 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69808 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:53.864531040 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:54.179193020 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69809 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:54.943180084 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:55.257822037 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69810 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:32:57.709629059 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:32:58.024266005 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69812 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:33:08.028081894 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:33:18.157793999 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:33:20.100812912 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:33:20.416570902 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69835 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:33:23.881130934 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:33:24.196046114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69839 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:33:25.088659048 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:33:25.403800964 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69840 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:33:35.416111946 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:33:45.545352936 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:33:55.674496889 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:34:01.695028067 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:34:02.011410952 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 69876 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:34:12.022018909 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:34:22.142390013 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	00:32:15
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa0000
File size:	972'288 bytes
MD5 hash:	E065205FC134566FDA736CCC9BE37E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:32:16
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x840000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:32:16
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:32:18
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x840000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:32:18
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:32:18
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x840000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:32:18
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:32:19
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x840000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:32:19
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:32:19
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x840000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:32:19
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:32:19
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:32:19
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff66e660000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:32:19
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	00:32:21
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2200 -prefMapHandle 2192 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b81855ed-d965-4fdf-8e94-63f103592f59} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162a4c70b10 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	00:32:24
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -parentBuildID 20230927232528 -prefsHandle 2148 -prefMapHandle 3980 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c19d47-4226-4162-bf4f-a9cc946d4c3b} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162b64d0010 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	00:32:32
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 2928 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db75d719-a1f1-4453-b1fb-183b70aadf76} 5784 "\\.\pipe\gecko-crash-server-pipe.5784" 162c0d38d10 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1744
Total number of Limit Nodes:	60

Executed Functions

Function 000A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 000A430D

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

GetCurrentProcess.KERNEL32(?,0013CB64,00000000,?,?), ref: 000A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 000A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 000A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000A4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 000A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 000A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000A44A0

Strings

kernel32.dll, xrefs: 000A444F
GetNativeSystemInfo, xrefs: 000A4460
|O, xrefs: 000E36F8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4137581bef1b35e4cdceec77c49803f073b952604c0516f6b3206c2591c83ad1
Instruction ID: 40d01a40b5c396e388fa9b74235158a970bba265da6a333e360c6d7235a55804
Opcode Fuzzy Hash: 4137581bef1b35e4cdceec77c49803f073b952604c0516f6b3206c2591c83ad1
Instruction Fuzzy Hash: E7A1A37691E2C0FFC721CBBE7C451997FF47B66360B084999E08DA7E62D26046C8CB61

Function 000A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000A50AA,?,?,00000000,00000000), ref: 000A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000A50AA,?,?,00000000,00000000), ref: 000A42C9
LoadResource.KERNEL32(?,00000000,?,?,000A50AA,?,?,00000000,00000000,?,?,?,?,?,?,000A4F20), ref: 000E35BE
SizeofResource.KERNEL32(?,00000000,?,?,000A50AA,?,?,00000000,00000000,?,?,?,?,?,?,000A4F20), ref: 000E35D3
LockResource.KERNEL32(000A50AA,?,?,000A50AA,?,?,00000000,00000000,?,?,?,?,?,?,000A4F20,?), ref: 000E35E6

Strings

SCRIPT, xrefs: 000A42BF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 890a8a4758f831d19eb112d6b4ad95aa3e1bbad5b3c36de2f83c06b8876f171f
Instruction ID: b9c9b7d782e033edcacbb885f097fbec80390a8d9c43b750e74970a49743a80b
Opcode Fuzzy Hash: 890a8a4758f831d19eb112d6b4ad95aa3e1bbad5b3c36de2f83c06b8876f171f
Instruction Fuzzy Hash: 76118E75640700BFD7218BA5DC48F277BB9EBC6B51F104169F402E6650DBB1DC408760

Function 000E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 000A2B6B

Part of subcall function 000A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00171418,?,000A2E7F,?,?,?,00000000), ref: 000A3A78

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00162224), ref: 000E2C10
ShellExecuteW.SHELL32(00000000,?,?,00162224), ref: 000E2C17

Strings

runas, xrefs: 000E2C0B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d2a48a69fefb0206778eb09bd3ea2dcfc24a6011ad925f6c54078fd1324f1886
Instruction ID: 1a9c8d39f6ee9e50cc7a4c082ef53123f1e8e7bc19c994dcddf1f5edb619430d
Opcode Fuzzy Hash: d2a48a69fefb0206778eb09bd3ea2dcfc24a6011ad925f6c54078fd1324f1886
Instruction Fuzzy Hash: 481196322083416BC714FFE8DC529FEB7A5AB93750F44542DF187620A3DF2186498752

Function 0010D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0010D501
Process32FirstW.KERNEL32(00000000,?), ref: 0010D50F
Process32NextW.KERNEL32(00000000,?), ref: 0010D52F
CloseHandle.KERNEL32(00000000), ref: 0010D5DC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 667b65ce733ff889000c19358a455a5d47eb128aa42a678e1bc4d44555262b43
Instruction ID: 7d09ac40e55401f9fdd3ed9bb157ae130461bf53055fbd0143e2d0ca8d8b0ad4
Opcode Fuzzy Hash: 667b65ce733ff889000c19358a455a5d47eb128aa42a678e1bc4d44555262b43
Instruction Fuzzy Hash: E031A2711083019FD300EF94DC81AAFBBF8EF9A354F54092DF581961E2EBB19949CB92

Function 0010DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,000E5222), ref: 0010DBCE
GetFileAttributesW.KERNEL32(?), ref: 0010DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0010DBEE
FindClose.KERNEL32(00000000), ref: 0010DBFA

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f28328e659e97ae3662f1839c37a6398b4a6d711858b06f4b2cdc8739d0106a6
Instruction ID: 0cb6e3f89d2cc134cb7f6df18af79d12528c6ecefbe8372dfdcaf040c2c0b1bd
Opcode Fuzzy Hash: f28328e659e97ae3662f1839c37a6398b4a6d711858b06f4b2cdc8739d0106a6
Instruction Fuzzy Hash: 0CF0A03181092057D2206BB8AE0D8AB3B6D9F02334B10470AF8B6D24E0EBF059948AD5

Function 000FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000FD220

Strings

%.3d, xrefs: 000FD22B
X64, xrefs: 000FD2A8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9b26a3934635a87f6a2d6a0cd1cb5db685168c4d9e4b68b4d06d9d6372bd798f
Instruction ID: 44249d4cd1e1bb5eb68b294400cbb605aad08d462e876a8814b41f5bb3d4872a
Opcode Fuzzy Hash: 9b26a3934635a87f6a2d6a0cd1cb5db685168c4d9e4b68b4d06d9d6372bd798f
Instruction Fuzzy Hash: D3D0626180911DE9CBE097D0DC459FEB77DBB29341F508453FA06A2441E724D55877A1

Function 000C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000D28E9,?,000C4CBE,000D28E9,001688B8,0000000C,000C4E15,000D28E9,00000002,00000000,?,000D28E9), ref: 000C4D09
TerminateProcess.KERNEL32(00000000,?,000C4CBE,000D28E9,001688B8,0000000C,000C4E15,000D28E9,00000002,00000000,?,000D28E9), ref: 000C4D10
ExitProcess.KERNEL32 ref: 000C4D22

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 204eb5171a4182f7340432cba04bab8ce2282a373182bf18651139b8281d0869
Instruction ID: a8fc09406d1c40c839ca0647d63bcdc26cf696bbd544ae417f1b157c9a31954e
Opcode Fuzzy Hash: 204eb5171a4182f7340432cba04bab8ce2282a373182bf18651139b8281d0869
Instruction Fuzzy Hash: D6E0B631000248ABCF11BF64DD1AF9C3B69FB41791B108418FC0A9A623CB35DD92DB90

Function 000FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000FD28C

Strings

X64, xrefs: 000FD2A8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 26b26bda45b6e3f40ce1fdb4f6f396fa8e493ffcc57db85e29ce8398fd560e4c
Instruction ID: 5b0e17ac395c21fdc1d0ee2720e511d199dc63540c7eb841b516ca2dfd571c61
Opcode Fuzzy Hash: 26b26bda45b6e3f40ce1fdb4f6f396fa8e493ffcc57db85e29ce8398fd560e4c
Instruction Fuzzy Hash: DCD0C9B481111DEACBA4DB90DC88DDDB37CBB14305F100152F106A2000D73495489F50

Function 0012AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0012B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0012B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0012B1D4
_wcslen.LIBCMT ref: 0012B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0012B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0012B236
_wcslen.LIBCMT ref: 0012B332

Part of subcall function 001105A7: GetStdHandle.KERNEL32(000000F6), ref: 001105C6

_wcslen.LIBCMT ref: 0012B34B
_wcslen.LIBCMT ref: 0012B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0012B3B6
GetLastError.KERNEL32(00000000), ref: 0012B407
CloseHandle.KERNEL32(?), ref: 0012B439
CloseHandle.KERNEL32(00000000), ref: 0012B44A
CloseHandle.KERNEL32(00000000), ref: 0012B45C
CloseHandle.KERNEL32(00000000), ref: 0012B46E
CloseHandle.KERNEL32(?), ref: 0012B4E3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 2f5fa03717a1c988981a1962384390ed8f479d31d83c9a25c77f962f92463014
Instruction ID: 0c79bdaff78d978d8cc4fb45647b0fe93eedffa70bdf99cecaed8afa0a7ec91d
Opcode Fuzzy Hash: 2f5fa03717a1c988981a1962384390ed8f479d31d83c9a25c77f962f92463014
Instruction Fuzzy Hash: DBF19B316083509FC715EF24D891BAEBBE1BF85310F18855DF8999B2A2DB31EC50CB92

Function 000AD733 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 000AD807
timeGetTime.WINMM ref: 000ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000ADB28
TranslateMessage.USER32(?), ref: 000ADB7B
DispatchMessageW.USER32(?), ref: 000ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000ADB9F
Sleep.KERNEL32(0000000A), ref: 000ADBB1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 6aeafa795155a797e0df65b93d336a773582dc2cda1a7aca19c335e9fded85ea
Instruction ID: 79621f5e760cfc56494786fc7e516783aad1ddded0110d4645fe01374ea8b6ef
Opcode Fuzzy Hash: 6aeafa795155a797e0df65b93d336a773582dc2cda1a7aca19c335e9fded85ea
Instruction Fuzzy Hash: D142D030608346EFD778CF64C844BBAB7E1BF46314F14451EE5A687AA2D770E884DB92

Function 000A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000A2D07
RegisterClassExW.USER32(00000030), ref: 000A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A2D42
InitCommonControlsEx.COMCTL32(?), ref: 000A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A2D6F
LoadIconW.USER32(000000A9), ref: 000A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A2D94

Strings

0, xrefs: 000A2CE9
AutoIt v3 GUI, xrefs: 000A2D23
TaskbarCreated, xrefs: 000A2D37
+, xrefs: 000A2CF0

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d7a627faafbdff93790b13e4819ed79bfeef2d64113850fb9b6fd2ebe2242411
Instruction ID: 8db14334350d4ed742b57eb958a8d39f27fc9dde1b3debc83d9e71350e888feb
Opcode Fuzzy Hash: d7a627faafbdff93790b13e4819ed79bfeef2d64113850fb9b6fd2ebe2242411
Instruction Fuzzy Hash: 9C21F4B5911308AFDB00DFA8EC89BDDBBB4FB08704F10411AFA15B66A0D7B54580CFA0

Function 000E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000E039A: CreateFileW.KERNEL32(00000000,00000000,?,000E0704,?,?,00000000,?,000E0704,00000000,0000000C), ref: 000E03B7

GetLastError.KERNEL32 ref: 000E076F
__dosmaperr.LIBCMT ref: 000E0776
GetFileType.KERNEL32(00000000), ref: 000E0782
GetLastError.KERNEL32 ref: 000E078C
__dosmaperr.LIBCMT ref: 000E0795
CloseHandle.KERNEL32(00000000), ref: 000E07B5
CloseHandle.KERNEL32(?), ref: 000E08FF
GetLastError.KERNEL32 ref: 000E0931
__dosmaperr.LIBCMT ref: 000E0938

Strings

H, xrefs: 000E08BD

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 12670a024aca3d98364addf66474bfa7ccb4ac6bb7b2b5d83597e287e9d6a9d7
Instruction ID: a1bbacd13894eb9de4d538ed1240fde96202daaee4414630bbc123ecf613639d
Opcode Fuzzy Hash: 12670a024aca3d98364addf66474bfa7ccb4ac6bb7b2b5d83597e287e9d6a9d7
Instruction Fuzzy Hash: 00A13832A041858FDF19AF68DC51BAD3BF1AB4A320F14015DF855AB392C7719D92CB91

Function 000A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00171418,?,000A2E7F,?,?,?,00000000), ref: 000A3A78

Part of subcall function 000A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000A3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000E31CE
RegCloseKey.ADVAPI32(?), ref: 000E3210
_wcslen.LIBCMT ref: 000E3277
_wcslen.LIBCMT ref: 000E3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 000A3560
\, xrefs: 000E328C
\Include\, xrefs: 000A3527
Include, xrefs: 000E3184, 000E31C5

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2cc491b905fd6dac0a0105859d4cc3b2bf13c3702af347223803c3449f99d8f7
Instruction ID: c1f1f15645b10a0728d784b78bcdfa6b808359f1915a9e72d76859c328213477
Opcode Fuzzy Hash: 2cc491b905fd6dac0a0105859d4cc3b2bf13c3702af347223803c3449f99d8f7
Instruction Fuzzy Hash: 087192715043019EC314DF65DC869ABBBF8FF89350F40482EF589A71A1EB749AC9CB92

Function 000A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 000A2B9D
LoadIconW.USER32(00000063), ref: 000A2BB3
LoadIconW.USER32(000000A4), ref: 000A2BC5
LoadIconW.USER32(000000A2), ref: 000A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000A2BEF
RegisterClassExW.USER32(?), ref: 000A2C40

Part of subcall function 000A2CD4: GetSysColorBrush.USER32(0000000F), ref: 000A2D07
Part of subcall function 000A2CD4: RegisterClassExW.USER32(00000030), ref: 000A2D31
Part of subcall function 000A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A2D42
Part of subcall function 000A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 000A2D5F
Part of subcall function 000A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A2D6F
Part of subcall function 000A2CD4: LoadIconW.USER32(000000A9), ref: 000A2D85
Part of subcall function 000A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A2D94

Strings

#, xrefs: 000A2C16
AutoIt v3, xrefs: 000A2C2F
0, xrefs: 000A2C0F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1a2453bed0180bd2551941dffd6cea18b68a5e79ff7a61673faa4728a8f606f1
Instruction ID: 8e0359cf23e695d709f5f7a7be2bd5be53f8914bbbb227392fe0be08742f8bc5
Opcode Fuzzy Hash: 1a2453bed0180bd2551941dffd6cea18b68a5e79ff7a61673faa4728a8f606f1
Instruction Fuzzy Hash: AA212975E00318BBDB109FA9EC56BA97FB4FB48B60F10402AF508B6AA0D7B545C4CF90

Function 000A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,000A316A,?,?), ref: 000A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,000A316A,?,?), ref: 000A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,000A316A,?,?), ref: 000A3232
CreatePopupMenu.USER32 ref: 000A3246
PostQuitMessage.USER32(00000000), ref: 000A3267

Strings

TaskbarCreated, xrefs: 000A322D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2fc05f00b8f31732ced038bd13ffae102d78c8a1936cb5d03549ea1d01fd1790
Instruction ID: bd11b1fa047f021d1c1dcc53b676a18e78222350852a7feef58c487ee85fc437
Opcode Fuzzy Hash: 2fc05f00b8f31732ced038bd13ffae102d78c8a1936cb5d03549ea1d01fd1790
Instruction Fuzzy Hash: 8A415D31244204BBDB641BFCDD0EBBD36AAF747354F044215FA0AA66E2CB718EC197A1

Function 000A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000A1459
CoUninitialize.COMBASE ref: 000A14F8
UnregisterHotKey.USER32(?), ref: 000A16DD
DestroyWindow.USER32(?), ref: 000E24B9
FreeLibrary.KERNEL32(?), ref: 000E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000E254B

Strings

close all, xrefs: 000A1454

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 84218bf171c22e81d787577698a55d7b844257ec79aed68d02ac860f7d6d77e6
Instruction ID: d284c5ca89ede94400676c616283cd58e8283d3d0113d7938c06fd01c9c8f991
Opcode Fuzzy Hash: 84218bf171c22e81d787577698a55d7b844257ec79aed68d02ac860f7d6d77e6
Instruction Fuzzy Hash: 19D17C31701212CFCB29EF55C999AA9F7A5BF06700F1542ADE44ABB252CB30ED52CF90

Function 0010DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0010DE42
gethostname.WS2_32(?,00000100), ref: 0010DE5C
gethostbyname.WS2_32(?), ref: 0010DE69
inet_ntoa.WSOCK32(?), ref: 0010DEAB
_strcat.LIBCMT ref: 0010DEB9
WSACleanup.WSOCK32 ref: 0010DEDE

Strings

0.0.0.0, xrefs: 0010DE87

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 6af81e2c123a42d62e11bcacf535c3b8da72a062518c8bda236ba6775e66190d
Instruction ID: bec85fd462b860e5bf9bebd5d8e66507f75852234f8b2ee13a0b020f4e021949
Opcode Fuzzy Hash: 6af81e2c123a42d62e11bcacf535c3b8da72a062518c8bda236ba6775e66190d
Instruction Fuzzy Hash: 3E11EC72504115AFCB247B74EC4AEEE77ACEF51711F0101A9F545A60D2EFB1CA818B90

Function 000A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,000A1CAD,?), ref: 000A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,000A1CAD,?), ref: 000A2CCF

Strings

AutoIt v3, xrefs: 000A2C89, 000A2C8E, 000A2C8F
edit, xrefs: 000A2CAC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c8a72cde310a86ad824065bd56f9e01f5254d6fa422bb3673ef9321be1d4686a
Instruction ID: 61a0b734db526edf9ba38d7c236d3bf29205936a94425acce24251f8ca690c21
Opcode Fuzzy Hash: c8a72cde310a86ad824065bd56f9e01f5254d6fa422bb3673ef9321be1d4686a
Instruction Fuzzy Hash: 8EF0DA755903907AEB31172BAC09E773EBDE7C6F60F11405AFD08A29A0C66118D0DBB0

Function 000FD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000FD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000FD3BF
FreeLibrary.KERNEL32(00000000), ref: 000FD3E5

Strings

X64, xrefs: 000FD2A8
GetSystemWow64DirectoryW, xrefs: 000FD3B9

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 62eafd3905ef07ac989f2f11ea8e999ad9c78be109175a147eb9a3b17cf1c3bf
Instruction ID: 38028aa2f4ffb51424b51e5f78c2a67631c5af1a3697b37f9daf2dd644b743fb
Opcode Fuzzy Hash: 62eafd3905ef07ac989f2f11ea8e999ad9c78be109175a147eb9a3b17cf1c3bf
Instruction Fuzzy Hash: 27F02032806629DBE7B05710CC689BD73A2AF21B01F548057E702F2914DB20CE80B7C2

Function 000A10F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000A1BF4
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 000A1BFC
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000A1C07
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000A1C12
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 000A1C1A
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 000A1C22

Part of subcall function 000A1B4A: RegisterWindowMessageW.USER32(00000004,?,000A12C4), ref: 000A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000A136A
OleInitialize.OLE32 ref: 000A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 000E24AB

Strings

pF, xrefs: 000A1292

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: pF
API String ID: 1986988660-4122802920
Opcode ID: 01b674a01b6e5a9b86f63e8d6fc06f4378562e8d3798d743e57c9c0dc09b7e98
Instruction ID: 14f36a5543ff251e0a6ef4c7e172654b479ceda1d2879403f0e1f230d5a1955b
Opcode Fuzzy Hash: 01b674a01b6e5a9b86f63e8d6fc06f4378562e8d3798d743e57c9c0dc09b7e98
Instruction Fuzzy Hash: 7A71ADB5911300AFC388EFBDAD466953AF5FB8A344755822AE40EE7B62EB7044C1CF51

Function 000A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,000A3B0F,SwapMouseButtons,00000004,?), ref: 000A3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,000A3B0F,SwapMouseButtons,00000004,?), ref: 000A3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,000A3B0F,SwapMouseButtons,00000004,?), ref: 000A3B83

Strings

Control Panel\Mouse, xrefs: 000A3B3E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b1e3b601fad128362f882158aac5d7bf548c105dd2d52a4c2b91da94b161ae61
Instruction ID: f866c12425de72f978f6bbba32b83a1d2cff35aae6bee3ada493c6ef942e5e59
Opcode Fuzzy Hash: b1e3b601fad128362f882158aac5d7bf548c105dd2d52a4c2b91da94b161ae61
Instruction Fuzzy Hash: 5F112AB5521208FFDB608FA5DC85AAEB7BDEF45744B104459FA05E7110D3319E4097A0

Function 000ADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 000F32B7

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: afb155863857440229e1fe9a514a1b7e6c9e97e0534694ac442aad3ca157b058
Instruction ID: e99c3d77b7e539e4f828b6d4794a814b8b6e14aa36a920bd24605d68b61786a1
Opcode Fuzzy Hash: afb155863857440229e1fe9a514a1b7e6c9e97e0534694ac442aad3ca157b058
Instruction Fuzzy Hash: 1EC2AC71A00255CFCB24CF98C884AADB7F1FF4A310F248569E915AB392D775EE81CB91

Function 000AEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000AFE66

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 694ce95e4c47723bf54e32e2dcc4f6f21d3693c10fcd38f0ce153d2ce9bd061b
Instruction ID: 22e571b280909fefbf840e32a11876887b55388d4d85ba23c89770372ffa3ed1
Opcode Fuzzy Hash: 694ce95e4c47723bf54e32e2dcc4f6f21d3693c10fcd38f0ce153d2ce9bd061b
Instruction Fuzzy Hash: 23B26B74608342CFDB64CF94C480A7AB7F1BB9A310F24496DE9899B352D771ED81CB92

Function 000A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000E33A2

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 000A3A04

Strings

Line: , xrefs: 000E33EB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b991804e6f8ee7dd28fa91e94d8358c15d54ff029a93dd27b4c72d03d9661e16
Instruction ID: 86a0c20004e8127252be51c17d1bdbcbfc61b78e6ac2b2cf81001f15c2424321
Opcode Fuzzy Hash: b991804e6f8ee7dd28fa91e94d8358c15d54ff029a93dd27b4c72d03d9661e16
Instruction Fuzzy Hash: 8A31C271408304AEC721EBA4DC46FEFB7E8AB42720F00492EF59993492DB709788C7D2

Function 000BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 000C0668

Part of subcall function 000C32A4: RaiseException.KERNEL32(?,?,?,000C068A,?,00171444,?,?,?,?,?,?,000C068A,000A1129,00168738,000A1129), ref: 000C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 000C0685

Strings

Unknown exception, xrefs: 000C0692

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 520c51393bf1f3d8f4a62e6097f0d0e3f3bb60b73d41978ce3e8e531d3b8caa7
Instruction ID: 2c5791f94527bab160e7382d14139521e9fc94b97069eae7445b764fe4a2c736
Opcode Fuzzy Hash: 520c51393bf1f3d8f4a62e6097f0d0e3f3bb60b73d41978ce3e8e531d3b8caa7
Instruction Fuzzy Hash: 69F0623490020DB7CF10BBA4DC4AEEE7BAD5F40350B604539B914D65D2EF71EA66C681

Function 0010C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 000A3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0010C259
KillTimer.USER32(?,00000001,?,?), ref: 0010C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0010C270

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: a8f0b264fb538b9ea649e2e1b8f444fdb86f4df6ff6367135cc289c8cb20f1a8
Instruction ID: d181862ca2d9461ea4356d867147cc6c8377f12749ad03f7b3712d0e1534a4fb
Opcode Fuzzy Hash: a8f0b264fb538b9ea649e2e1b8f444fdb86f4df6ff6367135cc289c8cb20f1a8
Instruction Fuzzy Hash: 26319570904344AFEB229F648855BEBBBECAF16304F00049DE5DAA7682C7B45A84CF91

Function 000D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,000D85CC,?,00168CC8,0000000C), ref: 000D8704
GetLastError.KERNEL32(?,000D85CC,?,00168CC8,0000000C), ref: 000D870E
__dosmaperr.LIBCMT ref: 000D8739

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 33d33dc4599eccdad5f220be12096fc0d4771f2d0f3dce6a2f71cbe3baf2fd6e
Instruction ID: 8e10d11f4be026f4c68a0fe9fba45a773587d6c13fd3661f07a66b8a827b0863
Opcode Fuzzy Hash: 33d33dc4599eccdad5f220be12096fc0d4771f2d0f3dce6a2f71cbe3baf2fd6e
Instruction Fuzzy Hash: 45016B3260436026D2A567346C45BBE2B898B81775F39411BFC089B3D3DEA0CCC183B0

Function 000ADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 000ADB7B
DispatchMessageW.USER32(?), ref: 000ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000ADB9F
Sleep.KERNEL32(0000000A), ref: 000ADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 000F1CC9

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: d2fcd159d6fd3653e93b0682a444f5c40c50b8ecb782da196ae8da5f341f32a0
Instruction ID: 4982dac2aacf71f1263ba27223c2366d7f99a3bcebed659f9d84cf5d7f57be51
Opcode Fuzzy Hash: d2fcd159d6fd3653e93b0682a444f5c40c50b8ecb782da196ae8da5f341f32a0
Instruction Fuzzy Hash: 9BF05E30604384DBE770CBA0CC49FEA73FCEF45310F104619E65A938C0DB3494889B66

Function 000B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000B17F6

Strings

CALL, xrefs: 000B17C6

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 36ac6d57fea5dd86b2fa260e1c28bca5ec1c17eb6b19d0017ae55fb132b60306
Instruction ID: e882078696217c8d5e84e3243a2f9175026c6a864be64970cdcca6bd35344abf
Opcode Fuzzy Hash: 36ac6d57fea5dd86b2fa260e1c28bca5ec1c17eb6b19d0017ae55fb132b60306
Instruction Fuzzy Hash: CD228C70608201DFC724DF14C4A0BAABBF1BF85314F64892DF5969B7A2D732E945CB92

Function 000B01E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035177a13b17b9f18e0a457deca8b65cb48aa366eeb6e7e789b53c4001b025e6
Instruction ID: 5dfbc8118355a8fa7c8a2339a3e5ca7049a1d8a269398532d87027ac847fb237
Opcode Fuzzy Hash: 035177a13b17b9f18e0a457deca8b65cb48aa366eeb6e7e789b53c4001b025e6
Instruction Fuzzy Hash: 3A32CD30A006099FDB24DF54CC85BFEB7B5EF05311F148529EA25AB2A2D731EE84DB91

Function 000A2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 000E2C8C

Part of subcall function 000A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A3A97,?,?,000A2E7F,?,?,?,00000000), ref: 000A3AC2

Part of subcall function 000A2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000A2DC4

Strings

X, xrefs: 000E2C5A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 714237cec919f4a9272d786b2eec6a95005eb26ef579b6fda5bf08de48882f03
Instruction ID: 13e9e7ab2550b13d3ce7824bc86453c89cf2ba7c4ee8c41c6f611db0cfa0b213
Opcode Fuzzy Hash: 714237cec919f4a9272d786b2eec6a95005eb26ef579b6fda5bf08de48882f03
Instruction Fuzzy Hash: F621A571A00298AFDB41EFD8CC45BEE7BFCAF49314F004069E405B7242DBB45A898FA1

Function 000FD363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 000FD375

Strings

X64, xrefs: 000FD2A8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: bef4ba28724d64d56dc6d3ef63fd7ddfc7b9b4ec084891fdbe16d6e677b5396b
Instruction ID: 0634583c6e288cefa85da69c3ab9317228996ecd0319ac30a86882f251dfcfc6
Opcode Fuzzy Hash: bef4ba28724d64d56dc6d3ef63fd7ddfc7b9b4ec084891fdbe16d6e677b5396b
Instruction Fuzzy Hash: 03D0C9B581512CEACBA0DB40DC88DEDB37DBB14301F504152F102A2400D7349588AB51

Function 000A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 000A3908

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 335a2fb0f0be9d07dfb68f3f2e321de44599be6205913c984e99e3901a943ce4
Instruction ID: efee096ba93e1e881a4f0f5b3e1c5341b3022efd1db7de26dc6f8dbf9b1357bb
Opcode Fuzzy Hash: 335a2fb0f0be9d07dfb68f3f2e321de44599be6205913c984e99e3901a943ce4
Instruction Fuzzy Hash: 2C3181705043019FD760DF64D88579BBBF8FB49718F00092EF59993641E775AA84CB52

Function 000BF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000BF661

Part of subcall function 000AD733: GetInputState.USER32 ref: 000AD807

Sleep.KERNEL32(00000000), ref: 000FF2DE

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: e259ef7215afb1a64516d667d24cd03833937eaf4dcf55aa38dbb61d8a82d596
Instruction ID: 39888c725bca91f25c5358bfb7267429ba95acde7adffe28266403e2c362f8d2
Opcode Fuzzy Hash: e259ef7215afb1a64516d667d24cd03833937eaf4dcf55aa38dbb61d8a82d596
Instruction Fuzzy Hash: A8F0A0312406059FD314EFB9D859BAEB7E9FF4A760F00402AE85AD7762DB70A840CB90

Function 000AB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000ABB4E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 45485b7722aa979ffe331e45cbf12914e5e949d7362c177a1120d928e8fa2a00
Instruction ID: 047506c6a2c40eab29078572f6f8368562c79ee470672dc2d3e5e3d5e4c82b70
Opcode Fuzzy Hash: 45485b7722aa979ffe331e45cbf12914e5e949d7362c177a1120d928e8fa2a00
Instruction Fuzzy Hash: 37329D34A00209DFDB24CF94C894ABEB7F9FF46310F148059EA05AB653D7B5AE81DB91

Function 000A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000A4EDD,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E9C
Part of subcall function 000A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000A4EAE
Part of subcall function 000A4E90: FreeLibrary.KERNEL32(00000000,?,?,000A4EDD,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4EFD

Part of subcall function 000A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000E3CDE,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E62
Part of subcall function 000A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000A4E74
Part of subcall function 000A4E59: FreeLibrary.KERNEL32(00000000,?,?,000E3CDE,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E87

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d959033bd9235909ff09e4f4d2edd6ac9d0165c674c979697be3d4bc8409ad1c
Instruction ID: e3520ec3cfac2f61c4df4095d51c678d3a6923c566df99f653d19229aebc6966
Opcode Fuzzy Hash: d959033bd9235909ff09e4f4d2edd6ac9d0165c674c979697be3d4bc8409ad1c
Instruction Fuzzy Hash: EA11E736610205AECB24EFA0DC06FED77A5AF91711F20442DF552BB1C2DFB0AE459750

Function 000D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 000D8440

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: cbce062f5961e969325efab2e51c55fa25b219718119007162d885947588a81f
Instruction ID: 8cc984af5c31e8d87e737cfba5337192869e3d7d99473680de10e9cc048856ce
Opcode Fuzzy Hash: cbce062f5961e969325efab2e51c55fa25b219718119007162d885947588a81f
Instruction Fuzzy Hash: C911187590420AAFCB15DF58E941ADE7BF9EF49314F14805AF808AB312DB31EA11CBA5

Function 000D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000D4C7D: RtlAllocateHeap.NTDLL(00000008,000A1129,00000000,?,000D2E29,00000001,00000364,?,?,?,000CF2DE,000D3863,00171444,?,000BFDF5,?), ref: 000D4CBE

_free.LIBCMT ref: 000D506C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 7479e567e6154aab870bab1004699d83a095b4318597c3adc3446754d5b70e8c
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C40126722047046BE3318E659C85A9AFFECFB89370F25051EE58483380EA30A805C6B4

Function 000CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 422f0125559da6018e97cd004a79afc0a1c380bcf45fed7eb5c882bd62309bc7
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 83F0D132521B5096C6312B79DC05F9E339C9F623B4F10072EF421922D3DA74A80186B5

Function 000D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,000A1129,00000000,?,000D2E29,00000001,00000364,?,?,?,000CF2DE,000D3863,00171444,?,000BFDF5,?), ref: 000D4CBE

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d1e1df192dcc7eab62a942ff9560ed4c336a59bca30e8c0d65cb8f969da1a225
Instruction ID: 0842ff8d7d9ae21cbe6a5dab7c795debeee07679556782a48e8f621107c1285f
Opcode Fuzzy Hash: d1e1df192dcc7eab62a942ff9560ed4c336a59bca30e8c0d65cb8f969da1a225
Instruction Fuzzy Hash: EDF0BE31622324A7DBA15F629C0AF9E37C9BF517A1B19512BB819AA381CA70D80196F0

Function 000D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2d67a085329ca5becd4b5a6d65116f09b1284d777da46c3ee8db405510637633
Instruction ID: ac4191c2711406c44899d0d5ece2ab5b476ad478c210492d93368b0fd461975a
Opcode Fuzzy Hash: 2d67a085329ca5becd4b5a6d65116f09b1284d777da46c3ee8db405510637633
Instruction Fuzzy Hash: D9E0E531100325A6D63127669C01FDE368AAB427B0F090026BC0496A81CF50DD01B2F3

Function 000A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4F6D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d25c3058a8521e12d91bf551aa0ab2a4e0edb47feb10ca45b3c30e2f2f407f62
Instruction ID: 934f64d35c9199d222055357211dbe2599f2792daee90d63fd60c21dec60aa3b
Opcode Fuzzy Hash: d25c3058a8521e12d91bf551aa0ab2a4e0edb47feb10ca45b3c30e2f2f407f62
Instruction Fuzzy Hash: A4F0A979005342CFCB348FA0D490826BBE0AF42329320997EE1EA82621C7B19884EF40

Function 00132A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00132A66

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ada25f9f626aeb5c91ea199209ee798181aa64f864e0ef8d2db07ed5e567b210
Instruction ID: 522edac30196068f75d6369e7cbffbb2c23a7b0db8b3ccc86beb000f908bc32e
Opcode Fuzzy Hash: ada25f9f626aeb5c91ea199209ee798181aa64f864e0ef8d2db07ed5e567b210
Instruction Fuzzy Hash: FBE0467635011AABC718FA30EC908FAB35CEF60795B10453AED6AD3640EB309A9586E0

Function 000A30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 000A314E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 922b2920fa871cc262706f8dcb9a436595508fb1d5c28e350c1299424632f4e6
Instruction ID: 82d2387dce994475cd17b2559f3386532a9f360336c18a6edeec94e6d1b4e6d0
Opcode Fuzzy Hash: 922b2920fa871cc262706f8dcb9a436595508fb1d5c28e350c1299424632f4e6
Instruction Fuzzy Hash: 92F03770914354AFE7529B64DC4A7D97BFCB701708F0000E9A54C96592DB7457C8CF51

Function 000A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000A2DC4

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f600f5e97a5031bec2cb3d94450ea0aa160d7de9b919220d13fdcd7d7f79ec5f
Instruction ID: e3ea6fc7d77365976fce8598224caa1778998e6f5f1aa769f0ec90f211e782e1
Opcode Fuzzy Hash: f600f5e97a5031bec2cb3d94450ea0aa160d7de9b919220d13fdcd7d7f79ec5f
Instruction Fuzzy Hash: 8AE0CD726001245BC71192989C05FDA77EDDFC8790F040071FD09E7249DA70ADC08690

Function 000A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000A3908

Part of subcall function 000AD733: GetInputState.USER32 ref: 000AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 000A2B6B

Part of subcall function 000A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 000A314E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 78e971bf55c7d009c74bcda86602f0fa489606539f2e0e443d78c6ce6eb466c8
Instruction ID: 239b840e5de0df4331f7aa7bc68a33a1e1584d1922b05a34cbdbccc32fc1344b
Opcode Fuzzy Hash: 78e971bf55c7d009c74bcda86602f0fa489606539f2e0e443d78c6ce6eb466c8
Instruction Fuzzy Hash: 18E0CD3230424417C608BBF8A8565FDB759DBD3351F40553EF14757163DF2485894351

Function 0010DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0010DF40

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 307060cea026a8d42f773d62613fe4a16ea6b108860f095388400a2dd713d8b6
Instruction ID: a0f36fc7339e6dbc191183333f1230efdc661b6ee56c3e572fa36e7f739fbaee
Opcode Fuzzy Hash: 307060cea026a8d42f773d62613fe4a16ea6b108860f095388400a2dd713d8b6
Instruction Fuzzy Hash: 97D05EA2A002283BDF60A6749D0DDF73AACC740210F0006A0786ED3152EA20DD8486F0

Function 000E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,000E0704,?,?,00000000,?,000E0704,00000000,0000000C), ref: 000E03B7

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b35b3baaea2b46cca4ed0b3a6a2c9a1af7386082786df449ef10f2272edd7ecc
Instruction ID: ff41de3570ef44d84763798572b3e89c2f95121c97a7a49b4ad043a7bdf0e610
Opcode Fuzzy Hash: b35b3baaea2b46cca4ed0b3a6a2c9a1af7386082786df449ef10f2272edd7ecc
Instruction Fuzzy Hash: 7ED06C3204010DFBDF029F84DD06EDA3BAAFB48714F014000BE1866020C732E861AB90

Function 000A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 000A1CBC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 84ee1ceb54cc02f6f9d489886f2a73d2a3efaef512a2bd90d0f8b7df4b26472b
Instruction ID: 0116f8300fc6c90d0c1752481993495aebde2de1ff09bddb1992718b1b4a6363
Opcode Fuzzy Hash: 84ee1ceb54cc02f6f9d489886f2a73d2a3efaef512a2bd90d0f8b7df4b26472b
Instruction Fuzzy Hash: 07C04836380205AAE2148B94AC4AF507764A348B10F148001F64DA99E382A228E0AAA0

Non-executed Functions

Function 00139576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0013961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0013965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0013969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001396C9
SendMessageW.USER32 ref: 001396F2
GetKeyState.USER32(00000011), ref: 0013978B
GetKeyState.USER32(00000009), ref: 00139798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001397AE
GetKeyState.USER32(00000010), ref: 001397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001397E9
SendMessageW.USER32 ref: 00139810
SendMessageW.USER32(?,00001030,?,00137E95), ref: 00139918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0013992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00139941
SetCapture.USER32(?), ref: 0013994A
ClientToScreen.USER32(?,?), ref: 001399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001399D6
ReleaseCapture.USER32 ref: 001399E1
GetCursorPos.USER32(?), ref: 00139A19
ScreenToClient.USER32(?,?), ref: 00139A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00139A80
SendMessageW.USER32 ref: 00139AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00139AEB
SendMessageW.USER32 ref: 00139B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00139B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00139B4A
GetCursorPos.USER32(?), ref: 00139B68
ScreenToClient.USER32(?,?), ref: 00139B75
GetParent.USER32(?), ref: 00139B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00139BFA
SendMessageW.USER32 ref: 00139C2B
ClientToScreen.USER32(?,?), ref: 00139C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00139CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00139CDE
SendMessageW.USER32 ref: 00139D01
ClientToScreen.USER32(?,?), ref: 00139D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00139D82

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

GetWindowLongW.USER32(?,000000F0), ref: 00139E05

Strings

F, xrefs: 00139D07
@GUI_DRAGID, xrefs: 0013997D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6d4230a38f39ff299f723e5d4fef6ed1c98587d79332d57d9ed431bc934f409f
Instruction ID: 4c7065e8ccc4be233751acf1047286b4a274d24c1423bbb5c01abb4e0cbe14eb
Opcode Fuzzy Hash: 6d4230a38f39ff299f723e5d4fef6ed1c98587d79332d57d9ed431bc934f409f
Instruction Fuzzy Hash: 7A42ADB5205200AFDB24CF28CC85EAABBF5FF49314F100619F699976A1D7B1E891CF91

Function 00134873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00134908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00134927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0013494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0013495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0013497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00134A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00134A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00134A7E
IsMenu.USER32(?), ref: 00134A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00134AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00134B20
GetWindowLongW.USER32(?,000000F0), ref: 00134B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00134BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00134C82
wsprintfW.USER32 ref: 00134CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00134CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00134CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00134D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00134D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00134D5A

Strings

%d/%02d/%02d, xrefs: 00134CA8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: da6c2ac58fa62392733c81c0cb26ebc30297d668c9afc1c739d11622079fd4e8
Instruction ID: 36a233011cb13438f6d17d27acf042730cc3075a6b655b1ff82e90946b0ff63e
Opcode Fuzzy Hash: da6c2ac58fa62392733c81c0cb26ebc30297d668c9afc1c739d11622079fd4e8
Instruction Fuzzy Hash: 8E12BC71600254ABEB258F68CC4AFEE7BF8EF45710F144129F516EB2E1DB74A941CB90

Function 000BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 000BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000FF474
IsIconic.USER32(00000000), ref: 000FF47D
ShowWindow.USER32(00000000,00000009), ref: 000FF48A
SetForegroundWindow.USER32(00000000), ref: 000FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000FF4AA
GetCurrentThreadId.KERNEL32 ref: 000FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 000FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000FF4DE
SetForegroundWindow.USER32(00000000), ref: 000FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 000FF4F6
keybd_event.USER32(00000012,00000000), ref: 000FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 000FF50B
keybd_event.USER32(00000012,00000000), ref: 000FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 000FF519
keybd_event.USER32(00000012,00000000), ref: 000FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 000FF528
keybd_event.USER32(00000012,00000000), ref: 000FF52D
SetForegroundWindow.USER32(00000000), ref: 000FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 000FF557

Strings

Shell_TrayWnd, xrefs: 000FF46F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a8bb7912d2269179716d39185b7d23cef60beb27e333e1696d72d5d6e7820eb9
Instruction ID: ea83eb7c84a2709ee1300266b76db985ab30b69cd5fd8eead8f6faa304e77efb
Opcode Fuzzy Hash: a8bb7912d2269179716d39185b7d23cef60beb27e333e1696d72d5d6e7820eb9
Instruction Fuzzy Hash: 08313E71A40218BAEB206BB55C4AFBF7EACEB44B50F100065FB05F65D1D6B19940ABA0

Function 00101201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0010170D
Part of subcall function 001016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0010173A
Part of subcall function 001016C3: GetLastError.KERNEL32 ref: 0010174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00101286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001012A8
CloseHandle.KERNEL32(?), ref: 001012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001012D1
GetProcessWindowStation.USER32 ref: 001012EA
SetProcessWindowStation.USER32(00000000), ref: 001012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00101310

Part of subcall function 001010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001011FC), ref: 001010D4
Part of subcall function 001010BF: CloseHandle.KERNEL32(?,?,001011FC), ref: 001010E9

Strings

default, xrefs: 0010130B
, xrefs: 0010125A
winsta0, xrefs: 001012CC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 1cbbe48dc371d81087aec6bb1c00f479875bc38479e7ad2b09aff96b8148ea28
Instruction ID: 645a7df8424be1c02d444c444c7b9cfeb454f8f6a82df35b057b1b916b17449e
Opcode Fuzzy Hash: 1cbbe48dc371d81087aec6bb1c00f479875bc38479e7ad2b09aff96b8148ea28
Instruction Fuzzy Hash: 3B817A71900249BBDF219FA4DC49BEE7BB9EF08704F144129F950F62A0DBB98994CB61

Function 00100B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00101114
Part of subcall function 001010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101120
Part of subcall function 001010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 0010112F
Part of subcall function 001010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101136
Part of subcall function 001010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0010114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00100BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00100C00
GetLengthSid.ADVAPI32(?), ref: 00100C17
GetAce.ADVAPI32(?,00000000,?), ref: 00100C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00100C6D
GetLengthSid.ADVAPI32(?), ref: 00100C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00100C8C
HeapAlloc.KERNEL32(00000000), ref: 00100C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00100CB4
CopySid.ADVAPI32(00000000), ref: 00100CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00100CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00100D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00100D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100D45
HeapFree.KERNEL32(00000000), ref: 00100D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100D55
HeapFree.KERNEL32(00000000), ref: 00100D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100D65
HeapFree.KERNEL32(00000000), ref: 00100D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00100D78
HeapFree.KERNEL32(00000000), ref: 00100D7F

Part of subcall function 00101193: GetProcessHeap.KERNEL32(00000008,00100BB1,?,00000000,?,00100BB1,?), ref: 001011A1
Part of subcall function 00101193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00100BB1,?), ref: 001011A8
Part of subcall function 00101193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00100BB1,?), ref: 001011B7

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5f916c28a5055a1e1066d94648b4332c4a2ccc2a7307e8593310e5af4010b655
Instruction ID: e333e52d82c32f4172603f04b990eccf896f531e036df6a741fc3011163983f0
Opcode Fuzzy Hash: 5f916c28a5055a1e1066d94648b4332c4a2ccc2a7307e8593310e5af4010b655
Instruction Fuzzy Hash: F471687690020AABDF11DFE4DC44BAEBBB8BF08310F048515F954B6291D7B5AA45CBB0

Function 0011EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0013CC08), ref: 0011EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0011EB37
GetClipboardData.USER32(0000000D), ref: 0011EB43
CloseClipboard.USER32 ref: 0011EB4F
GlobalLock.KERNEL32(00000000), ref: 0011EB87
CloseClipboard.USER32 ref: 0011EB91
GlobalUnlock.KERNEL32(00000000), ref: 0011EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0011EBC9
GetClipboardData.USER32(00000001), ref: 0011EBD1
GlobalLock.KERNEL32(00000000), ref: 0011EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0011EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0011EC38
GetClipboardData.USER32(0000000F), ref: 0011EC44
GlobalLock.KERNEL32(00000000), ref: 0011EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0011EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0011EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0011ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0011ECF3
CountClipboardFormats.USER32 ref: 0011ED14
CloseClipboard.USER32 ref: 0011ED59

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 601392e6d47197b8b07b6120a2a4213ac13862efdde7657056b5fde4a8960775
Instruction ID: 17a88369d1cf441952abc40664be23db2ffdd078343c7c4a32d8c7607b01f62c
Opcode Fuzzy Hash: 601392e6d47197b8b07b6120a2a4213ac13862efdde7657056b5fde4a8960775
Instruction Fuzzy Hash: F861F4752083019FD704EFA4D889FAA77E4EF85714F08452DF856972A2CB31DD85CBA2

Function 0011698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001169BE
FindClose.KERNEL32(00000000), ref: 00116A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00116A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00116A75

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00116AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00116ADF

Strings

%4d, xrefs: 00116BB1
%02d, xrefs: 00116C00, 00116C0A, 00116C5A, 00116CAA, 00116CFA, 00116D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00116B6A
%03d, xrefs: 00116DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00116B32

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9d198a920fac22f6363cb8f59c027c99a95aa66e61dc9b407a35595a66047589
Instruction ID: eb08575d9d083051201d1346c50fbe9ba2366a620ebfe70768ec89917d69ca86
Opcode Fuzzy Hash: 9d198a920fac22f6363cb8f59c027c99a95aa66e61dc9b407a35595a66047589
Instruction Fuzzy Hash: 84D13172508300AEC714EBA4CC91EEBB7ECAF89704F44492DF589D7192EB75DA44CB62

Function 00119642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00119663
GetFileAttributesW.KERNEL32(?), ref: 001196A1
SetFileAttributesW.KERNEL32(?,?), ref: 001196BB
FindNextFileW.KERNEL32(00000000,?), ref: 001196D3
FindClose.KERNEL32(00000000), ref: 001196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0011974A
SetCurrentDirectoryW.KERNEL32(00166B7C), ref: 00119768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00119772
FindClose.KERNEL32(00000000), ref: 0011977F
FindClose.KERNEL32(00000000), ref: 0011978F

Strings

*.*, xrefs: 001196F5

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fc2e9728bd8b203323af0d770a95799fcb92df7b52bb2c7f487c05065e4a85b6
Instruction ID: 41674e54b69f7f4210e78dc593200991b6e5cbc1fa03483121675925aaebde79
Opcode Fuzzy Hash: fc2e9728bd8b203323af0d770a95799fcb92df7b52bb2c7f487c05065e4a85b6
Instruction Fuzzy Hash: E531B3326406196ADB18AFB4DC59EEE77ACAF09321F144165F825E20E0DB34DDC4CFA4

Function 0011979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 001197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00119819
FindClose.KERNEL32(00000000), ref: 00119824
FindFirstFileW.KERNEL32(*.*,?), ref: 00119840
SetCurrentDirectoryW.KERNEL32(?), ref: 00119890
SetCurrentDirectoryW.KERNEL32(00166B7C), ref: 001198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001198B8
FindClose.KERNEL32(00000000), ref: 001198C5
FindClose.KERNEL32(00000000), ref: 001198D5

Part of subcall function 0010DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0010DB00

Strings

*.*, xrefs: 0011983B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b2d5e294ca1e1e23b7d5dfbf09a1bd03bdda458fd93e0f111b0e382d315103da
Instruction ID: bac3fb509f1c62dfbb311abd80b7245a0cba8b3802af0c0c019adcd3df96fb9d
Opcode Fuzzy Hash: b2d5e294ca1e1e23b7d5dfbf09a1bd03bdda458fd93e0f111b0e382d315103da
Instruction Fuzzy Hash: 0C31B43250061D6EDB18EFB4EC58ADE77ACAF06320F144165E864B21E1DB34D9C5CB60

Function 0012BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0012C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012C9F1
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA68
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0012BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0012BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0012C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0012C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0012C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0012C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0012C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0012C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0012C382
RegCloseKey.ADVAPI32(00000000), ref: 0012C38F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 42ff3c6cbea01a3b85b82076af3f8a17aa2097a966fd544477b2ace7b644814a
Instruction ID: 812cefccfd9fcb387495248f02601452ad1653cbf6d7774f7d6ce74dc7f2934c
Opcode Fuzzy Hash: 42ff3c6cbea01a3b85b82076af3f8a17aa2097a966fd544477b2ace7b644814a
Instruction Fuzzy Hash: 31025B716042109FC714DF28D891E2ABBE5EF89304F19C89DF84ADB2A2DB31ED55CB91

Function 0010D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A3A97,?,?,000A2E7F,?,?,?,00000000), ref: 000A3AC2

Part of subcall function 0010E199: GetFileAttributesW.KERNEL32(?,0010CF95), ref: 0010E19A

FindFirstFileW.KERNEL32(?,?), ref: 0010D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0010D1DD
MoveFileW.KERNEL32(?,?), ref: 0010D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0010D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0010D237

Part of subcall function 0010D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0010D21C,?,?), ref: 0010D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0010D253
FindClose.KERNEL32(00000000), ref: 0010D264

Strings

\*.*, xrefs: 0010D0CD, 0010D0D6, 0010D0EB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 613bd6d1238475816bca1cd628bc005ae4ec5667e6f7364756b13e41173885ed
Instruction ID: cce27b188f63dc7791ebb086a0acd59034326d691364888828302d85c3d8cf3c
Opcode Fuzzy Hash: 613bd6d1238475816bca1cd628bc005ae4ec5667e6f7364756b13e41173885ed
Instruction Fuzzy Hash: 59617D3190111DABCF05EBE0DA929EEB7B5AF66340F608165E44277192EF706F09CB60

Function 0011ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0011ED91
EmptyClipboard.USER32 ref: 0011ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0011EDAC
CloseClipboard.USER32 ref: 0011EEA3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 88940a1451ae8cc38fa5122390e4cbc4223f6c674ce54eac1a70312fd2130dfd
Instruction ID: 9a46dfacf822ba0377d08ac877edca381193ccc398be6715e116b3ca8fe207ce
Opcode Fuzzy Hash: 88940a1451ae8cc38fa5122390e4cbc4223f6c674ce54eac1a70312fd2130dfd
Instruction Fuzzy Hash: 51419D75204611AFE714CFA5E849F59BBE1AF44318F15C0A9E8199BA62C731EC81CBD0

Function 0010E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0010170D
Part of subcall function 001016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0010173A
Part of subcall function 001016C3: GetLastError.KERNEL32 ref: 0010174A

ExitWindowsEx.USER32(?,00000000), ref: 0010E932

Strings

SeShutdownPrivilege, xrefs: 0010E902
, xrefs: 0010E95C
@, xrefs: 0010E925
, xrefs: 0010E920

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c9fadfb06d6ce3b2f37428a140d4f1ce025992e64af1a7b841dae923af31d2f1
Instruction ID: ce58203e5f644518e71471ca3e636f541b3a024ae346529e9681abc1815bfefd
Opcode Fuzzy Hash: c9fadfb06d6ce3b2f37428a140d4f1ce025992e64af1a7b841dae923af31d2f1
Instruction Fuzzy Hash: AB01D673610311ABEB5826B69C86BBB729CA718758F154D21FC82F21D1D7E55C8086D0

Function 00121204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00121276
WSAGetLastError.WSOCK32 ref: 00121283
bind.WSOCK32(00000000,?,00000010), ref: 001212BA
WSAGetLastError.WSOCK32 ref: 001212C5
closesocket.WSOCK32(00000000), ref: 001212F4
listen.WSOCK32(00000000,00000005), ref: 00121303
WSAGetLastError.WSOCK32 ref: 0012130D
closesocket.WSOCK32(00000000), ref: 0012133C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: bec1c6a06bc52dbda60878d439dd2c28602b588d063dda0c9f0bcf9200f2fd01
Instruction ID: 2080b630ff8d329e7caa31687d7989b019eb5541ff9ad0fd103c84597f3477bd
Opcode Fuzzy Hash: bec1c6a06bc52dbda60878d439dd2c28602b588d063dda0c9f0bcf9200f2fd01
Instruction Fuzzy Hash: 66416331A00110EFD714DF64D484B6ABBE6BF56318F288198E8569F297C771ED81CBE1

Function 000DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000DB9D4
_free.LIBCMT ref: 000DB9F8
_free.LIBCMT ref: 000DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00143700), ref: 000DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0017121C,000000FF,00000000,0000003F,00000000,?,?), ref: 000DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00171270,000000FF,?,0000003F,00000000,?), ref: 000DBC36
_free.LIBCMT ref: 000DBD4B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 6486ddf5624930796d461c9d0511796f160fbd787b28f1ad5b8713a3e5aee439
Instruction ID: c9d6ad5df922b0287208de1f8442808ad0924be8241a9e884d4737d40123971e
Opcode Fuzzy Hash: 6486ddf5624930796d461c9d0511796f160fbd787b28f1ad5b8713a3e5aee439
Instruction Fuzzy Hash: 8AC10375904344EBCB209F6C8C51AAEBBF9EF41350F26419BE49497352EB309E419B70

Function 0010D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A3A97,?,?,000A2E7F,?,?,?,00000000), ref: 000A3AC2

Part of subcall function 0010E199: GetFileAttributesW.KERNEL32(?,0010CF95), ref: 0010E19A

FindFirstFileW.KERNEL32(?,?), ref: 0010D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0010D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0010D481
FindClose.KERNEL32(00000000), ref: 0010D498
FindClose.KERNEL32(00000000), ref: 0010D4A1

Strings

\*.*, xrefs: 0010D3F2

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: dcacdea46a3726280d88cfa6119c5f2e91e06f3b5bc10ed702b1f475555ca2e4
Instruction ID: fe1be979e1559edae76ad89f50e0fe2ca59548833dd5f54795bf2cb49c6b0e97
Opcode Fuzzy Hash: dcacdea46a3726280d88cfa6119c5f2e91e06f3b5bc10ed702b1f475555ca2e4
Instruction Fuzzy Hash: 89315C720083559BC304EFA4D8918EFB7A8BF92314F444A1DF4D1931D2EB74AA09CBA3

Function 000DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000DE645

Strings

1#QNAN, xrefs: 000DF84B
1#INF, xrefs: 000DF852
1#IND, xrefs: 000DF83D
1#SNAN, xrefs: 000DF844

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2fde496ee71036f744a0674f124781ad61f7977cfdd9de5d59e939c9b9e9137d
Instruction ID: b9644d803d2500723f69ea58640789be04c2c6cf0c5e531c4fea027e3c1613ad
Opcode Fuzzy Hash: 2fde496ee71036f744a0674f124781ad61f7977cfdd9de5d59e939c9b9e9137d
Instruction Fuzzy Hash: E9C23771E086698BDB65DF28DD407EAB7B5EB48304F1481EBD80EE7241E774AE818F50

Function 0011648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001164DC
CoInitialize.OLE32(00000000), ref: 00116639
CoCreateInstance.OLE32(0013FCF8,00000000,00000001,0013FB68,?), ref: 00116650
CoUninitialize.OLE32 ref: 001168D4

Strings

.lnk, xrefs: 001164BA, 00116524, 001165E0

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 2be558eccbbd2c7752c02cf4021125197db6a9208c32d652ed27972102b9b50b
Instruction ID: f1f118bd45e2f746ebdca56c0b74b60b3ae6ba5dbed757a15cd7eb70b9b2b26a
Opcode Fuzzy Hash: 2be558eccbbd2c7752c02cf4021125197db6a9208c32d652ed27972102b9b50b
Instruction Fuzzy Hash: C3D15971608301AFC304EF64C881EABB7E9FF95344F00896DF5958B292EB71E945CB92

Function 001222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001222E8

Part of subcall function 0011E4EC: GetWindowRect.USER32(?,?), ref: 0011E504

GetDesktopWindow.USER32 ref: 00122312
GetWindowRect.USER32(00000000), ref: 00122319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00122355
GetCursorPos.USER32(?), ref: 00122381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001223DF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9ae4baa698fbbb542d9b819db931a8d54f1a2667c00bff4b56afa325dedbc49d
Instruction ID: fcf45908c7946927ba12ca3a6895739796bfe9605db07bffc6d00e2cd5fe2698
Opcode Fuzzy Hash: 9ae4baa698fbbb542d9b819db931a8d54f1a2667c00bff4b56afa325dedbc49d
Instruction Fuzzy Hash: 6831ED72104325AFD724DF54D809A9BBBE9FF88314F000A19F984A7181DB74EA58CBD2

Function 00119B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00119B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00119C8B

Part of subcall function 00113874: GetInputState.USER32 ref: 001138CB
Part of subcall function 00113874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00113966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00119BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00119C75

Strings

*.*, xrefs: 00119B5D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9bf985fc44fac420900e3fd0202d9d29e93d6b0e1fdd1424eacb0f229c3b22e1
Instruction ID: a219071978c364b195b5f6f9672834874915e39b024e4e26c1e1a1e2ca6d0523
Opcode Fuzzy Hash: 9bf985fc44fac420900e3fd0202d9d29e93d6b0e1fdd1424eacb0f229c3b22e1
Instruction Fuzzy Hash: 0B41517190420A9FCF18DFA4C855BEEBBB8EF05310F144165E855B6191EB30AE94CFA0

Function 000B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 000B9A4E
GetSysColor.USER32(0000000F), ref: 000B9B23
SetBkColor.GDI32(?,00000000), ref: 000B9B36

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0ea23751b0d01461d996f260e909a1751ae7bc282cf44e01adaf6e1f93935b4f
Instruction ID: 9cf7a56cd84d30e1f56e7a42c4047777ca6201fb93d93b87f29bcbf155d00398
Opcode Fuzzy Hash: 0ea23751b0d01461d996f260e909a1751ae7bc282cf44e01adaf6e1f93935b4f
Instruction Fuzzy Hash: 16A1E570218548BEE778AA3C8C99EFF36DDDB42340F154119F706D6E92CA259D41E2B3

Function 00121806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0012304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0012307A
Part of subcall function 0012304E: _wcslen.LIBCMT ref: 0012309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0012185D
WSAGetLastError.WSOCK32 ref: 00121884
bind.WSOCK32(00000000,?,00000010), ref: 001218DB
WSAGetLastError.WSOCK32 ref: 001218E6
closesocket.WSOCK32(00000000), ref: 00121915

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 5329117020254cf8ca3511f06daf48070343efbf48f4eae8f56421b711e9f6c8
Instruction ID: 928f7ec1babba437804a4a8e24c057c59b5a220197f038c2bc32bd70b88f8df5
Opcode Fuzzy Hash: 5329117020254cf8ca3511f06daf48070343efbf48f4eae8f56421b711e9f6c8
Instruction Fuzzy Hash: 5251B371A00210AFEB10EF64D886FAA77E5AB45718F488098F9096F3C3C771AD418BA1

Function 00131C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00131CC0
IsWindowEnabled.USER32 ref: 00131CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00131CDB
IsIconic.USER32 ref: 00131CE9
IsZoomed.USER32 ref: 00131CF7

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c604ed1271c3f63c582f09724ab5edb63f728574372a12551d6bdd74736c45a1
Instruction ID: c2bbdeafe96fa90c419c252519be5d9e7d0111f01f1a97c0ab92acb937b42923
Opcode Fuzzy Hash: c604ed1271c3f63c582f09724ab5edb63f728574372a12551d6bdd74736c45a1
Instruction Fuzzy Hash: A421A331740211AFD7209F2AC854B6A7BA5EF95325F199068E84A9B351C771DC42CBD0

Function 000A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000E5DF0
VUUU, xrefs: 000A83E8
VUUU, xrefs: 000A843C
VUUU, xrefs: 000A83FA
ERCP, xrefs: 000A813C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 09227c21774bb759dbabc40f35707faaef0103613824f8760dcd6fcf7cd7b5d5
Instruction ID: 8267b0e316b370f79cc9888c4cd201b76b2130bb02543aca4eb13f25cfbab51b
Opcode Fuzzy Hash: 09227c21774bb759dbabc40f35707faaef0103613824f8760dcd6fcf7cd7b5d5
Instruction Fuzzy Hash: 75A29D70E0065ACFDF74CF99C8447AEB7B1BF55314F2485AAD815AB281EB319E81CB90

Function 0010AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0010AAAC
SetKeyboardState.USER32(00000080), ref: 0010AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0010AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0010AB88

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8e38f3dbe785e99f7b7e8ad68d90e2d1d59db5bea2aeee762722e2c0fb1f974b
Instruction ID: d6efaafede4e2d8a1b92ca038b6f152323453d1298f444e5e7b32e44051ffd9b
Opcode Fuzzy Hash: 8e38f3dbe785e99f7b7e8ad68d90e2d1d59db5bea2aeee762722e2c0fb1f974b
Instruction Fuzzy Hash: 1D311671A40308AEFB358B64CC05BFA7BA6AF44310F84821AF4C1561D1D3B4D981C7A2

Function 0011CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0011CE89
GetLastError.KERNEL32(?,00000000), ref: 0011CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0011CEFE

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: dfe758ee3fb920323e9435e71f5f5bbf9395da0a91fc90e7c6246bd77392d086
Instruction ID: 342fc8703197133138caca18ed31ec561ad4d086e13d4f2f27825a02d03285da
Opcode Fuzzy Hash: dfe758ee3fb920323e9435e71f5f5bbf9395da0a91fc90e7c6246bd77392d086
Instruction Fuzzy Hash: D121BD71540705ABDB24CFA5C948BEBBBF8EB40354F10442EE546A2151E774EE858BE0

Function 00108298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001082AA

Strings

(, xrefs: 001082F0
|, xrefs: 001082DA

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: bc37413e834d29adbfe89f6a29e3b80401f2fa173fd6ee38120e9815af9d8854
Instruction ID: 84a457bcb7fb78f0d1fb40f645e33bc40722f5d7f85affeef740b69a04bae3ea
Opcode Fuzzy Hash: bc37413e834d29adbfe89f6a29e3b80401f2fa173fd6ee38120e9815af9d8854
Instruction Fuzzy Hash: D7323574A047059FCB28CF59C481AAAB7F1FF48710B15C56EE59ADB3A1EBB0E941CB40

Function 00115C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00115CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00115D17
FindClose.KERNEL32(?), ref: 00115D5F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f463d6964bef0d8aa8a471577d27aacc613f542d234d0c8eea4a4d363fc01870
Instruction ID: d48fbd677e02ad7a85614aece54e6189492a50c82aaabb4f85479713007c0911
Opcode Fuzzy Hash: f463d6964bef0d8aa8a471577d27aacc613f542d234d0c8eea4a4d363fc01870
Instruction Fuzzy Hash: 04519B34604A01DFC718CF68D494E9AB7E5FF4A314F14856DE95A8B3A2CB30EC84CB91

Function 000D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 000D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 000D2731

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e641a7ac11a9eaafa73ac05106522fa1fc60926986e81c1e8e72651f7baa26ce
Instruction ID: 8af5bc4f5d0e849d4699d3615c5e322d35d664bedb8361d73ac838abbba0eccb
Opcode Fuzzy Hash: e641a7ac11a9eaafa73ac05106522fa1fc60926986e81c1e8e72651f7baa26ce
Instruction Fuzzy Hash: FA31C475901318ABCB21DF64DC88BDDBBB8AF18310F5041EAE81CA7261E7349F818F55

Function 001151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00115238
SetErrorMode.KERNEL32(00000000), ref: 001152A1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c3a1299cc37717ee88717e749b9597b2a77fa6803347d61a4b5d9d2c145eed96
Instruction ID: a17b304582ec7db76e120d11e719200bf17f26bc7f7de1c50c68220d52c34f51
Opcode Fuzzy Hash: c3a1299cc37717ee88717e749b9597b2a77fa6803347d61a4b5d9d2c145eed96
Instruction Fuzzy Hash: 9C312B75A00518DFDB00DF94D884EEDBBB5FF49314F0580A9E809AB3A2DB71E855CB90

Function 001016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000C0668
Part of subcall function 000BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0010170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0010173A
GetLastError.KERNEL32 ref: 0010174A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a3feb9e213e089e5f3f14fdebea0e2fb8480b3353b97c2d375ff8182fe62e00c
Instruction ID: b008f37d29e0750698c012c8f80800464d53b23d3a298804258b191f9bb2ee7e
Opcode Fuzzy Hash: a3feb9e213e089e5f3f14fdebea0e2fb8480b3353b97c2d375ff8182fe62e00c
Instruction Fuzzy Hash: 66119EB2504305BFD718AF54DC86DABB7B9EB44714B20852EF09657681EBB0FC818B60

Function 0010D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0010D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0010D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0010D650

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 445b18904b0f9769a7bbf64c24d584b41301b201c6d3579251b815932ecc03ab
Instruction ID: a9da40794adb33bd06b524397201da5d4084e7ff61530230c4138e64c3a39990
Opcode Fuzzy Hash: 445b18904b0f9769a7bbf64c24d584b41301b201c6d3579251b815932ecc03ab
Instruction Fuzzy Hash: 6F113C75E05228BBDB108F95AC45FAFBBBCEB49B60F108115F904F7290D6B04A058BA1

Function 00101663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0010168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001016A1
FreeSid.ADVAPI32(?), ref: 001016B1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: cd0ae30aae86a7342af778f2741f2743c9ca5642f00e7e6dc01541c9b061433a
Instruction ID: 1d00cbab1d603fb463bc7fafefdc8c1094eea5979ef760e32d1f36b552c216dd
Opcode Fuzzy Hash: cd0ae30aae86a7342af778f2741f2743c9ca5642f00e7e6dc01541c9b061433a
Instruction Fuzzy Hash: 69F0F47595030DFBDB00DFE49D89AAEBBBCFB08704F504565E501E2181E774AA848B90

Function 000DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 000DC36C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: fe934d11992296d36a1405bdbed8facb729a7b390d5e80127b1866d7717b42db
Instruction ID: 92970fcb619f01320dc5d105c7e62cb25f93941605e4e8f7e5fb6f9bc8a13d85
Opcode Fuzzy Hash: fe934d11992296d36a1405bdbed8facb729a7b390d5e80127b1866d7717b42db
Instruction Fuzzy Hash: 53413B7650031A6FDB249FB9CC49EBB77B8EB84314F10426EF905D7281E6709E81CB60

Function 000CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 353d60158afbedb109d0fbdb073bb0a77dd3a722e9a30cb05197095d8c835401
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 6F020B71E002199BEF14CFA9C980BADBBF1EF48314F25816ED919E7385D731AE418B94

Function 001168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00116918
FindClose.KERNEL32(00000000), ref: 00116961

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 88b9b1b86663b9c84040f3d4887af26542457eaff56c8e3c935259fc4100ebb9
Instruction ID: 168d0834965c3f045008fa681ea09e26df50b09b3bcbb94172a4a49512519f1a
Opcode Fuzzy Hash: 88b9b1b86663b9c84040f3d4887af26542457eaff56c8e3c935259fc4100ebb9
Instruction Fuzzy Hash: EC11D0316042149FD714DF69C884A56BBE5FF85328F05C6A9E8698F6A2C731EC45CB90

Function 001137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00124891,?,?,00000035,?), ref: 001137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00124891,?,?,00000035,?), ref: 001137F4

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5371b1553e61ef8a44b751d408338a70479903414460b7a7927f6442e8f892c2
Instruction ID: ee338a8360baa48d33e0b55b5dbc3044ec8e38fde0b78f54fa0c58197c8d74c6
Opcode Fuzzy Hash: 5371b1553e61ef8a44b751d408338a70479903414460b7a7927f6442e8f892c2
Instruction Fuzzy Hash: 24F0E5B17043282AE72017A68C4DFEB3AAEEFC5761F000175F509E22C5DA609D84C7F0

Function 0010B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0010B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0010B270

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 69a8cb3f7b57252d243a23d72c0eb69122546dda55d3ea19946ccc4f0f8a5b0a
Instruction ID: 976730eef679cf29497747f8aa1fb2b0db85d502ce1e7d474bc8476cd9070c72
Opcode Fuzzy Hash: 69a8cb3f7b57252d243a23d72c0eb69122546dda55d3ea19946ccc4f0f8a5b0a
Instruction Fuzzy Hash: C7F01D7190428EABDB059FA0C805BAE7BB4FF08305F008009F955A5191C37996559F94

Function 001010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001011FC), ref: 001010D4
CloseHandle.KERNEL32(?,?,001011FC), ref: 001010E9

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 72ec2df45931299de4ebe4daf72eeaa16e34a7fcc69432a00d19aeced700a805
Instruction ID: bee0853d3fc99b1e56fb3fe3194b2662401472925740f5b6692af0b21c85b383
Opcode Fuzzy Hash: 72ec2df45931299de4ebe4daf72eeaa16e34a7fcc69432a00d19aeced700a805
Instruction Fuzzy Hash: AAE0BF72014611AEE7252B51FC05EB777E9EB04320B14882DF5A5914B5DB62ACE0DB50

Function 000ACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 000F0C40

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 6abf6a5f1a5d03b5f8b830c843a6401d24930bc1965f5f52424d590b810e7d21
Instruction ID: a961f13d6d2f0c629cfeb5187480ba01ee8a6394ae221de576054cf17c5bfb34
Opcode Fuzzy Hash: 6abf6a5f1a5d03b5f8b830c843a6401d24930bc1965f5f52424d590b810e7d21
Instruction Fuzzy Hash: 71327970A00218DFEF24DF94C980EFDB7B5BF06304F158069E906AB292DB75AE45DB60

Function 000D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000D6766,?,?,00000008,?,?,000DFEFE,00000000), ref: 000D6998

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9216f90ca1b82f7f521d221acefa18e6679924df5fb4a202db79798df098834f
Instruction ID: b7f5144c1a04ba3e61b39209b8c4b4ded31969bf0d7d208b16b4778e4362d0f6
Opcode Fuzzy Hash: 9216f90ca1b82f7f521d221acefa18e6679924df5fb4a202db79798df098834f
Instruction Fuzzy Hash: F7B148316107099FD755CF28C48AB697BE0FF05364F25865AE89ACF3A2C736E981CB50

Function 000BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 000F851F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 931c0a05487104faf417e8a30e1d17eb7d969d9d2a771fb69a85f53b85edc3fc
Instruction ID: 1211a29b661edf4bda9c03e88a0d7132b7bfb32a8cd8433cd3ceb42bcb164775
Opcode Fuzzy Hash: 931c0a05487104faf417e8a30e1d17eb7d969d9d2a771fb69a85f53b85edc3fc
Instruction Fuzzy Hash: 1E125F71A002299BDB64CF58C8816FEB7F5FF48710F14819AE949EB251EB709E81DB90

Function 0011EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0011EABD

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1cbe81a53c89b15e6c20e503e7129245f75f637b75cb89ed636d5b5b621a44c2
Instruction ID: 4a91c9c0252498ea05f5047c038d3a08f1a387c7a13760b67c6617687046696a
Opcode Fuzzy Hash: 1cbe81a53c89b15e6c20e503e7129245f75f637b75cb89ed636d5b5b621a44c2
Instruction Fuzzy Hash: 64E04F322002049FD714EFA9E805EDAF7E9AF99760F018426FC4AD7352DB70E8808BD1

Function 000C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000C03EE), ref: 000C09DA

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0abf2aeb3838899aaaabc4a62ed9d936e1fbf061a4d4205cfb30840d6c88f474
Instruction ID: c1a60529ebcd87c6ca5f9a1277cc354f9c34dae1994628821b171eb9a636007f
Opcode Fuzzy Hash: 0abf2aeb3838899aaaabc4a62ed9d936e1fbf061a4d4205cfb30840d6c88f474
Instruction Fuzzy Hash:

Function 000C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 000C798B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 00e4bb52fe1bee6faa02a09897a37399ea22659373e3298d4990f261a84ae011
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 1C51686168C6055BDBB887688859FFE23D9DB52340F18050DEA8ED7282CE21DE09DF56

Function 000D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd7f1c85fce59eb982acfeffb0cae4a576d14f0fea1ac12f95f5248403bd5b9
Instruction ID: d2b12b48e768176c18c20c76ea947c6375386e0464499ee54938ac9dc62f8210
Opcode Fuzzy Hash: cbd7f1c85fce59eb982acfeffb0cae4a576d14f0fea1ac12f95f5248403bd5b9
Instruction Fuzzy Hash: 5A321026D29F014DD7239634D822336A689AFB73C5F55D737F81AB5EAAEB29C4C34100

Function 000BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b706fef9f0ffae731abf4b68c3b2cffef6b30d7f4283ec0e7b79b7a22af2d9
Instruction ID: 407f116b0857183893c02b6ad8020395c2d797f72d16b8635ce09fd385b563e6
Opcode Fuzzy Hash: a3b706fef9f0ffae731abf4b68c3b2cffef6b30d7f4283ec0e7b79b7a22af2d9
Instruction Fuzzy Hash: 36321831A0414D8BFF78CA28C696EBD7BE1EB45304F28856AD659C7A91D330DD81FB41

Function 000A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad13049c3a964ee185b00c017d9fcb829706de12db4f1ade2b37cb024f3aefb
Instruction ID: 431eba1136ebb22396131897d056e977576ce06d1ddb57d182a9efd814753e85
Opcode Fuzzy Hash: cad13049c3a964ee185b00c017d9fcb829706de12db4f1ade2b37cb024f3aefb
Instruction Fuzzy Hash: 8D229FB0A0460ADFDF14CFA5CC81AEEB7F6FF45304F148529E816A7291EB359A51CB60

Function 000A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b021431a445a1fdf01dbe8d82b84a7d8392e1167d977b02010c2a8da6565f530
Instruction ID: 30d712c02c5b95d4e2c60aad64ca5ca2d2d9a6e310408a067fafbdb1ccd2cfbf
Opcode Fuzzy Hash: b021431a445a1fdf01dbe8d82b84a7d8392e1167d977b02010c2a8da6565f530
Instruction Fuzzy Hash: 4A02C7B1A0014AEFCB14DF65D881AEEB7B5FF44300F108169E816AB291EB71EE51CB91

Function 000C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc62c85b87cd9819515570f0d95c25907b959a40d3c9c5f4a688e5021796e206
Instruction ID: 14b592c993bbd72fa07418a1e1ce12a03ca0f84b23435a8b71ad7c4e46d5ce95
Opcode Fuzzy Hash: cc62c85b87cd9819515570f0d95c25907b959a40d3c9c5f4a688e5021796e206
Instruction Fuzzy Hash: D761697120870567DBB49B288995FFE23D8DF81710F10491EE94ECB282D7119E42DF16

Function 000C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5fe72bf86425273137be08d89b4bd590e9468abca087a02c660e33280f501c
Instruction ID: 3bf64681361bd149f18e93bcd9ce2c4ffa5142254d0f821a215eb2d4fe6fe0cc
Opcode Fuzzy Hash: ec5fe72bf86425273137be08d89b4bd590e9468abca087a02c660e33280f501c
Instruction Fuzzy Hash: 5061793220870967DAB84B684852FFE23E8EF46740F10495EF84FCB282DA12AD42CF55

Function 00112046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca108a72c429e77b70df674830247dbef36d551528f03b00414630f9dc90ee87
Instruction ID: e7889b40bc80bc0c9577fcf6e701b75b770d77861bc2b65ba45d55869c1c0fc8
Opcode Fuzzy Hash: ca108a72c429e77b70df674830247dbef36d551528f03b00414630f9dc90ee87
Instruction Fuzzy Hash: BD21A5326206118BD72CCF79C8226BE73E5A754310F25862EF4A7C37D1DE39A984CB80

Function 00122ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00122B30
DeleteObject.GDI32(00000000), ref: 00122B43
DestroyWindow.USER32 ref: 00122B52
GetDesktopWindow.USER32 ref: 00122B6D
GetWindowRect.USER32(00000000), ref: 00122B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00122CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00122CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122CF8
GetClientRect.USER32(00000000,?), ref: 00122D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00122D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D80
GlobalLock.KERNEL32(00000000), ref: 00122D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D98
GlobalUnlock.KERNEL32(00000000), ref: 00122DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122DA8
GlobalFree.KERNEL32(00000000), ref: 00122DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0013FC38,00000000), ref: 00122DDB
GlobalFree.KERNEL32(00000000), ref: 00122DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00122E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00122E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0012303F

Strings

, xrefs: 00122FC5
AutoIt v3, xrefs: 00122CF2
static, xrefs: 00122D3A, 00122E91
DISPLAY, xrefs: 00122EA2

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 68919d015b00ca2c158f393ef5e8f80f8591f474fc86aed2a7b42a87393798a1
Instruction ID: 45ec1b0ca17cca11e19607e7b9703c566dbf19455fc7507a36e68ccb26f2caa9
Opcode Fuzzy Hash: 68919d015b00ca2c158f393ef5e8f80f8591f474fc86aed2a7b42a87393798a1
Instruction Fuzzy Hash: 00026B71900215EFDB14DFA4DC89EAE7BB9FF49310F048158F919AB2A1CB74AD41CBA0

Function 001370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0013712F
GetSysColorBrush.USER32(0000000F), ref: 00137160
GetSysColor.USER32(0000000F), ref: 0013716C
SetBkColor.GDI32(?,000000FF), ref: 00137186
SelectObject.GDI32(?,?), ref: 00137195
InflateRect.USER32(?,000000FF,000000FF), ref: 001371C0
GetSysColor.USER32(00000010), ref: 001371C8
CreateSolidBrush.GDI32(00000000), ref: 001371CF
FrameRect.USER32(?,?,00000000), ref: 001371DE
DeleteObject.GDI32(00000000), ref: 001371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00137230
FillRect.USER32(?,?,?), ref: 00137262
GetWindowLongW.USER32(?,000000F0), ref: 00137284

Part of subcall function 001373E8: GetSysColor.USER32(00000012), ref: 00137421
Part of subcall function 001373E8: SetTextColor.GDI32(?,?), ref: 00137425
Part of subcall function 001373E8: GetSysColorBrush.USER32(0000000F), ref: 0013743B
Part of subcall function 001373E8: GetSysColor.USER32(0000000F), ref: 00137446
Part of subcall function 001373E8: GetSysColor.USER32(00000011), ref: 00137463
Part of subcall function 001373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00137471
Part of subcall function 001373E8: SelectObject.GDI32(?,00000000), ref: 00137482
Part of subcall function 001373E8: SetBkColor.GDI32(?,00000000), ref: 0013748B
Part of subcall function 001373E8: SelectObject.GDI32(?,?), ref: 00137498
Part of subcall function 001373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001374B7
Part of subcall function 001373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001374CE
Part of subcall function 001373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001374DB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 450f748a24cc77f605466d2db280aae5816592d7f307c631dcb20283ce960126
Instruction ID: d5241bde5c19a745a158bc07e9a1573ffc344e010e312a37d38ed639231fb481
Opcode Fuzzy Hash: 450f748a24cc77f605466d2db280aae5816592d7f307c631dcb20283ce960126
Instruction Fuzzy Hash: FCA1C5B2108301FFDB109F60DC48E6B7BA9FF89320F100A19F962A65E1D771E984DB91

Function 00122711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0012273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0012286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00122900
GetClientRect.USER32(00000000,?), ref: 0012290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00122955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00122964
GetStockObject.GDI32(00000011), ref: 00122974
SelectObject.GDI32(00000000,00000000), ref: 00122978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00122988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00122991
DeleteDC.GDI32(00000000), ref: 0012299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00122A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00122A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00122A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00122A77
GetStockObject.GDI32(00000011), ref: 00122A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00122A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00122A97

Strings

static, xrefs: 0012294F, 00122A71
AutoIt v3, xrefs: 001228F8
DISPLAY, xrefs: 0012295A
msctls_progress32, xrefs: 00122A13

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ac6bb9157a3c99838ef6e0a8f9a2dc767928785c5624e108f7afebdd732d5315
Instruction ID: 2b6d1eaa1a43a0e7f3df1178457422a3c6af7ad0fa4de76f5bbae185665b171f
Opcode Fuzzy Hash: ac6bb9157a3c99838ef6e0a8f9a2dc767928785c5624e108f7afebdd732d5315
Instruction Fuzzy Hash: F3B12B71A40215BFEB14DFA8DC8AFAE7BB9EB09710F008514F915E7691D774AD80CBA0

Function 00114ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00114AED
GetDriveTypeW.KERNEL32(?,0013CB68,?,\\.\,0013CC08), ref: 00114BCA
SetErrorMode.KERNEL32(00000000,0013CB68,?,\\.\,0013CC08), ref: 00114D36

Strings

Fibre, xrefs: 00114CAD
RAMDisk, xrefs: 00114BF4
ATA, xrefs: 00114C98
FileBackedVirtual, xrefs: 00114CEC
USB, xrefs: 00114CB4
Unknown, xrefs: 00114BED, 00114C83
RAID, xrefs: 00114CBB
1394, xrefs: 00114C9F
SAS, xrefs: 00114CC9
SATA, xrefs: 00114CD0
CDROM, xrefs: 00114BFB
SCSI, xrefs: 00114C8A
Virtual, xrefs: 00114CE5
SSA, xrefs: 00114CA6
MMC, xrefs: 00114CDE
iSCSI, xrefs: 00114CC2
PhysicalDrive, xrefs: 00114B76
\\.\, xrefs: 00114B3F
Fixed, xrefs: 00114C09
Network, xrefs: 00114C02
SSD, xrefs: 00114C4A
Removable, xrefs: 00114C10, 00114C15
ATAPI, xrefs: 00114C91

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7cce28542d699548292cf74e82ed4d9e0585360cf379e0b7c98c4398d76f611c
Instruction ID: 20d39d6264d188de3037e4faebcff60ee1c51bd35bc830d0d961dafc6c022bde
Opcode Fuzzy Hash: 7cce28542d699548292cf74e82ed4d9e0585360cf379e0b7c98c4398d76f611c
Instruction Fuzzy Hash: 2561B130705105DBCB0CDFA4CE81EECB7A1AB46B40B248035F846AB692DB36DD91DB82

Function 001373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00137421
SetTextColor.GDI32(?,?), ref: 00137425
GetSysColorBrush.USER32(0000000F), ref: 0013743B
GetSysColor.USER32(0000000F), ref: 00137446
CreateSolidBrush.GDI32(?), ref: 0013744B
GetSysColor.USER32(00000011), ref: 00137463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00137471
SelectObject.GDI32(?,00000000), ref: 00137482
SetBkColor.GDI32(?,00000000), ref: 0013748B
SelectObject.GDI32(?,?), ref: 00137498
InflateRect.USER32(?,000000FF,000000FF), ref: 001374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0013752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00137554
InflateRect.USER32(?,000000FD,000000FD), ref: 00137572
DrawFocusRect.USER32(?,?), ref: 0013757D
GetSysColor.USER32(00000011), ref: 0013758E
SetTextColor.GDI32(?,00000000), ref: 00137596
DrawTextW.USER32(?,001370F5,000000FF,?,00000000), ref: 001375A8
SelectObject.GDI32(?,?), ref: 001375BF
DeleteObject.GDI32(?), ref: 001375CA
SelectObject.GDI32(?,?), ref: 001375D0
DeleteObject.GDI32(?), ref: 001375D5
SetTextColor.GDI32(?,?), ref: 001375DB
SetBkColor.GDI32(?,?), ref: 001375E5

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c1e7954089ed28c7e9e0a8a159048c164e8f0197d8eec55aa5d38d8d7ddfd75a
Instruction ID: 032f41d133d1e5b402c8dfac9f165b8c8802ddc82dbdaa5a29369589c39f7883
Opcode Fuzzy Hash: c1e7954089ed28c7e9e0a8a159048c164e8f0197d8eec55aa5d38d8d7ddfd75a
Instruction Fuzzy Hash: 20615AB2900218EFDF159FA4DC49AEEBFB9EB08320F114115F915BB2E1D775A980DB90

Function 00130FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00131128
GetDesktopWindow.USER32 ref: 0013113D
GetWindowRect.USER32(00000000), ref: 00131144
GetWindowLongW.USER32(?,000000F0), ref: 00131199
DestroyWindow.USER32(?), ref: 001311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0013120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0013121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00131232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00131245
IsWindowVisible.USER32(00000000), ref: 001312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001312D0
GetWindowRect.USER32(00000000,?), ref: 001312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0013130E
GetMonitorInfoW.USER32(00000000,?), ref: 00131328
CopyRect.USER32(?,?), ref: 0013133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001313AA

Strings

(, xrefs: 0013131B
tooltips_class32, xrefs: 001311E6
0, xrefs: 001310D3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f78a6afd56935b6875df5bd0ec74a1a82fd3f448351e036e8afabb6f1e7266bd
Instruction ID: 5d115faf17faa68bd83f1a680b75a4cfa2e9b6d5d034c235de924aa58442a2ec
Opcode Fuzzy Hash: f78a6afd56935b6875df5bd0ec74a1a82fd3f448351e036e8afabb6f1e7266bd
Instruction Fuzzy Hash: 30B17D71608341AFD714DF64C885BABBBE5FF85350F00891CF999AB2A2C771E844CB91

Function 00130241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001302E5
_wcslen.LIBCMT ref: 0013031F
_wcslen.LIBCMT ref: 00130389
_wcslen.LIBCMT ref: 001303F1
_wcslen.LIBCMT ref: 00130475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00130504

Part of subcall function 000BF9F2: _wcslen.LIBCMT ref: 000BF9FD

Part of subcall function 0010223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00102258
Part of subcall function 0010223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0010228A

Strings

GETSUBITEMCOUNT, xrefs: 00130384, 0013039F
VIEWCHANGE, xrefs: 00130675
SELECTCLEAR, xrefs: 0013052D
GETSELECTED, xrefs: 001305E1
DESELECT, xrefs: 0013059C
GETSELECTEDCOUNT, xrefs: 00130470, 0013048B
GETITEMCOUNT, xrefs: 00130316, 00130337
SELECTALL, xrefs: 00130515
SELECT, xrefs: 00130548
FINDITEM, xrefs: 00130627
SELECTINVERT, xrefs: 0013057E
ISSELECTED, xrefs: 001304DD
GETTEXT, xrefs: 001303EC, 00130407

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b195a06ffba790cc8c1cc1e5ca55a9a16689e343a20772a1ee3c589162acd4ea
Instruction ID: 63f788a6dd9e263d9be422096550caf0b050bf2cdcf61733c9d07b3960b8547b
Opcode Fuzzy Hash: b195a06ffba790cc8c1cc1e5ca55a9a16689e343a20772a1ee3c589162acd4ea
Instruction Fuzzy Hash: A5E1DF312082018FC719DF24C96197EB3E6BF99318F15496CF896AB3A6DB30ED45CB81

Function 000B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B8968
GetSystemMetrics.USER32(00000007), ref: 000B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B899B
GetSystemMetrics.USER32(00000008), ref: 000B89A3
GetSystemMetrics.USER32(00000004), ref: 000B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 000B8A5A
GetStockObject.GDI32(00000011), ref: 000B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 000B8A81

Part of subcall function 000B912D: GetCursorPos.USER32(?), ref: 000B9141
Part of subcall function 000B912D: ScreenToClient.USER32(00000000,?), ref: 000B915E
Part of subcall function 000B912D: GetAsyncKeyState.USER32(00000001), ref: 000B9183
Part of subcall function 000B912D: GetAsyncKeyState.USER32(00000002), ref: 000B919D

SetTimer.USER32(00000000,00000000,00000028,000B90FC), ref: 000B8AA8

Strings

AutoIt v3 GUI, xrefs: 000B8A20

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: bb38b6d2787cc15808a984b9f4ca38834d27f1bf4bd1604551fceffb4b4f63a0
Instruction ID: eb057985a3e1260badbc122fe894dfd8041883e175525fb69de1c2a0fa343963
Opcode Fuzzy Hash: bb38b6d2787cc15808a984b9f4ca38834d27f1bf4bd1604551fceffb4b4f63a0
Instruction Fuzzy Hash: D4B16E75A0020AEFDF14DF68CC45BEE7BB5FB48314F148229FA15A76A0DB70A881DB51

Function 00100D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00101114
Part of subcall function 001010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101120
Part of subcall function 001010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 0010112F
Part of subcall function 001010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101136
Part of subcall function 001010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0010114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00100DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00100E29
GetLengthSid.ADVAPI32(?), ref: 00100E40
GetAce.ADVAPI32(?,00000000,?), ref: 00100E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00100E96
GetLengthSid.ADVAPI32(?), ref: 00100EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00100EB5
HeapAlloc.KERNEL32(00000000), ref: 00100EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00100EDD
CopySid.ADVAPI32(00000000), ref: 00100EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00100F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00100F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00100F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100F6E
HeapFree.KERNEL32(00000000), ref: 00100F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100F7E
HeapFree.KERNEL32(00000000), ref: 00100F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100F8E
HeapFree.KERNEL32(00000000), ref: 00100F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00100FA1
HeapFree.KERNEL32(00000000), ref: 00100FA8

Part of subcall function 00101193: GetProcessHeap.KERNEL32(00000008,00100BB1,?,00000000,?,00100BB1,?), ref: 001011A1
Part of subcall function 00101193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00100BB1,?), ref: 001011A8
Part of subcall function 00101193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00100BB1,?), ref: 001011B7

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9f47719df7460d67db152c80d2458f8fe4104243d2b865075d429c8a7453910e
Instruction ID: b760b897166be0f8312abd9bd75bc715c2c0df08fd87464402c0eac32a0eec99
Opcode Fuzzy Hash: 9f47719df7460d67db152c80d2458f8fe4104243d2b865075d429c8a7453910e
Instruction Fuzzy Hash: 9B716D7290020AEBDF219FA4DC44FAEBBB8BF09301F144115FA99F6191D7B19A45DBA0

Function 0012C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0013CC08,00000000,?,00000000,?,?), ref: 0012C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0012C5A4
_wcslen.LIBCMT ref: 0012C5F4
_wcslen.LIBCMT ref: 0012C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0012C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0012C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0012C84D
RegCloseKey.ADVAPI32(?), ref: 0012C881
RegCloseKey.ADVAPI32(00000000), ref: 0012C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0012C960

Strings

REG_MULTI_SZ, xrefs: 0012C6F5
REG_DWORD, xrefs: 0012C804
REG_QWORD, xrefs: 0012C8C3
REG_EXPAND_SZ, xrefs: 0012C5CD
REG_BINARY, xrefs: 0012C913
REG_SZ, xrefs: 0012C644

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b6dcba153bace78ac0fc5ece35c00f8df82014596c06846c8c0ccbdb19068bba
Instruction ID: 2f9ec775a150d26137a90c9da08846b48e22bea341a7c31d67601af42f7194fa
Opcode Fuzzy Hash: b6dcba153bace78ac0fc5ece35c00f8df82014596c06846c8c0ccbdb19068bba
Instruction Fuzzy Hash: C61276356042119FCB18EF24D891B6AB7E5EF89314F05895CF98A9B3A2DB31ED41CB81

Function 0013091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001309C6
_wcslen.LIBCMT ref: 00130A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00130A54
_wcslen.LIBCMT ref: 00130A8A
_wcslen.LIBCMT ref: 00130B06
_wcslen.LIBCMT ref: 00130B81

Part of subcall function 000BF9F2: _wcslen.LIBCMT ref: 000BF9FD

Part of subcall function 00102BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00102BFA

Strings

ISCHECKED, xrefs: 00130CE1
COLLAPSE, xrefs: 00130B01, 00130B1C
UNCHECK, xrefs: 00130D3E
GETITEMCOUNT, xrefs: 00130C1E
EXPAND, xrefs: 00130BF8
CHECK, xrefs: 00130A85, 00130AA0
GETTOTALCOUNT, xrefs: 001309F2, 00130A17
SELECT, xrefs: 00130D11
GETSELECTED, xrefs: 00130C4E
GETTEXT, xrefs: 00130C97
EXISTS, xrefs: 00130B7C, 00130B97

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 65af6511728e6259851a32a43849da6ea11e23f445a6b0b52b722872ea8737b1
Instruction ID: 38bfea59aa8b6db95555939d0617a87614f03e59822d3988198b218e978ef13e
Opcode Fuzzy Hash: 65af6511728e6259851a32a43849da6ea11e23f445a6b0b52b722872ea8737b1
Instruction Fuzzy Hash: 49E1CE352087018FCB15EF64C86096AB7E1FF99318F15895CF89AAB3A2D731ED45CB81

Function 0012C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
_wcslen.LIBCMT ref: 0012C9F1
_wcslen.LIBCMT ref: 0012CA68
_wcslen.LIBCMT ref: 0012CA9E
_wcslen.LIBCMT ref: 0012CAF9
_wcslen.LIBCMT ref: 0012CB2F
_wcslen.LIBCMT ref: 0012CB7F

Strings

HKEY_CURRENT_USER, xrefs: 0012CBBD
HKLM, xrefs: 0012CA98, 0012CA9D
HKCR, xrefs: 0012CB29, 0012CB2E
HKEY_LOCAL_MACHINE, xrefs: 0012CA62, 0012CA67
HKEY_CLASSES_ROOT, xrefs: 0012CAF3, 0012CAF8
HKEY_CURRENT_CONFIG, xrefs: 0012CB79, 0012CB7E
HKCC, xrefs: 0012CBAC
HKEY_USERS, xrefs: 0012CBDF
HKU, xrefs: 0012CBF0
HKCU, xrefs: 0012CBCE

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 46c1aa3a677b89e66321c82e4da9e4ee21e041f6c4bc2b9928223e4dabbcd3f3
Instruction ID: ef9bf7666f537de23249a2dfaedf3bbf913f63912138263398f10ceac67a6f68
Opcode Fuzzy Hash: 46c1aa3a677b89e66321c82e4da9e4ee21e041f6c4bc2b9928223e4dabbcd3f3
Instruction Fuzzy Hash: 8A71C33260053A8BCB20DE7CED516FE3391AFA1794B250528FA56A7285F771CDA583E0

Function 0013833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0013835A
_wcslen.LIBCMT ref: 0013836E
_wcslen.LIBCMT ref: 00138391
_wcslen.LIBCMT ref: 001383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00135BF2), ref: 0013844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00138487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00138501
FreeLibrary.KERNEL32(?), ref: 0013850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0013851D
DestroyIcon.USER32(?,?,?,?,?,00135BF2), ref: 0013852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00138549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00138555

Strings

.icl, xrefs: 00138368
.exe, xrefs: 00138388
.dll, xrefs: 001383AB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: c6bc96df9ec18d44a354a9c1af5da553cf7bf19a3300e9a1f9ae53dee3ccdbbd
Instruction ID: 75b4e36dbd95a50e47f94472d99197bb719d52b56b43a26c7762e7f52dab483e
Opcode Fuzzy Hash: c6bc96df9ec18d44a354a9c1af5da553cf7bf19a3300e9a1f9ae53dee3ccdbbd
Instruction Fuzzy Hash: AA61AF72A40715BAEB14DF64CC45FFE77A8FB08B11F104609F815E61D2DBB4A994CBA0

Function 000A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 000E528C
#comments-start, xrefs: 000A785F, 000A78B1
#notrayicon, xrefs: 000A77E7
", xrefs: 000E5153
', xrefs: 000E5169
#include-once, xrefs: 000A782F
#include, xrefs: 000A7847
Cannot parse #include, xrefs: 000E5279
#ce, xrefs: 000A78ED
#cs, xrefs: 000A7873, 000A78C5
#comments-end, xrefs: 000A78D9
Bad directive syntax error, xrefs: 000E519A
#pragma compile, xrefs: 000A77D3
#requireadmin, xrefs: 000A77FF
#OnAutoItStartRegister, xrefs: 000A7817

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ddcd4334d3019f1b3b4b565898b1cc383c04ca05f6cfc74505de19aab0ac430e
Instruction ID: f67c10bf56d798af1c78b72be7c5153c7368b224cb8fe28b09c1f8b8b835b2d1
Opcode Fuzzy Hash: ddcd4334d3019f1b3b4b565898b1cc383c04ca05f6cfc74505de19aab0ac430e
Instruction Fuzzy Hash: AC81F871A44605BFDB20AFA0DC42FEE37A9AF16340F048428F908AB197EB70D911D7A1

Function 00113E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00113EF8
_wcslen.LIBCMT ref: 00113F03
_wcslen.LIBCMT ref: 00113F5A
_wcslen.LIBCMT ref: 00113F98
GetDriveTypeW.KERNEL32(?), ref: 00113FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0011401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00114059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00114087

Strings

set cd door , xrefs: 00114028
type cdaudio alias cd wait, xrefs: 00114001
wait, xrefs: 00114044
close cd wait, xrefs: 00114072
open, xrefs: 00113F54, 00113F59
close, xrefs: 00113EFE, 00113F18
closed, xrefs: 00113F08, 00113F2D, 00113F46, 00113F7E, 00113F97
open , xrefs: 00113FE5

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 3675fbb51de35f56723fd0c564a2a518aef95f8b5dcaf1e39957f877a37e4b92
Instruction ID: e5fa122de35592f314d5c25dba1c931bffddfb62accccea4340676ba6db98819
Opcode Fuzzy Hash: 3675fbb51de35f56723fd0c564a2a518aef95f8b5dcaf1e39957f877a37e4b92
Instruction Fuzzy Hash: 5071D3326046129FC714DF24C8808EEB7F4EF99754F40492DF4A697252EB31DE86CB92

Function 00105A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00105A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00105A40
SetWindowTextW.USER32(?,?), ref: 00105A57
GetDlgItem.USER32(?,000003EA), ref: 00105A6C
SetWindowTextW.USER32(00000000,?), ref: 00105A72
GetDlgItem.USER32(?,000003E9), ref: 00105A82
SetWindowTextW.USER32(00000000,?), ref: 00105A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00105AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00105AC3
GetWindowRect.USER32(?,?), ref: 00105ACC
_wcslen.LIBCMT ref: 00105B33
SetWindowTextW.USER32(?,?), ref: 00105B6F
GetDesktopWindow.USER32 ref: 00105B75
GetWindowRect.USER32(00000000), ref: 00105B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00105BD3
GetClientRect.USER32(?,?), ref: 00105BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00105C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00105C2F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6be0bbd624a7f99591e7669d4c3458ea202cb84bdb53531f1efc3b696421440d
Instruction ID: d9318a950a1644c887b53680b93a075ab2e89b39885a1b1ff0e2ef7a201ed658
Opcode Fuzzy Hash: 6be0bbd624a7f99591e7669d4c3458ea202cb84bdb53531f1efc3b696421440d
Instruction Fuzzy Hash: C8713D71900B09EFDB20DFA9CE45AAFBBF6FF48705F104518E582A25A0D7B5A944CF50

Function 0011FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0011FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0011FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0011FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0011FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0011FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0011FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0011FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0011FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0011FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0011FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0011FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0011FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0011FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0011FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0011FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0011FECC
GetCursorInfo.USER32(?), ref: 0011FEDC
GetLastError.KERNEL32 ref: 0011FF1E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 797be55da1a16a25a66fde4855110c3790be4a0fe4eb0bde1e58d01bcc93b036
Instruction ID: 58eb33e8736d34de06358da464d4745284e09edae50d345d3ec3dba180a6dcc5
Opcode Fuzzy Hash: 797be55da1a16a25a66fde4855110c3790be4a0fe4eb0bde1e58d01bcc93b036
Instruction Fuzzy Hash: 0D4153B1D0831A6ADB109FBA8C8985EBFE8FF04354B54453AE11DE7281DB789942CF91

Function 000C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000C00C6

Part of subcall function 000C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0017070C,00000FA0,3FAB0C11,?,?,?,?,000E23B3,000000FF), ref: 000C011C
Part of subcall function 000C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000E23B3,000000FF), ref: 000C0127
Part of subcall function 000C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000E23B3,000000FF), ref: 000C0138
Part of subcall function 000C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 000C014E
Part of subcall function 000C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000C015C
Part of subcall function 000C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000C016A
Part of subcall function 000C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000C0195
Part of subcall function 000C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000C01A0

___scrt_fastfail.LIBCMT ref: 000C00E7

Part of subcall function 000C00A3: __onexit.LIBCMT ref: 000C00A9

Strings

InitializeConditionVariable, xrefs: 000C0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000C0122
SleepConditionVariableCS, xrefs: 000C0154
WakeAllConditionVariable, xrefs: 000C0162
kernel32.dll, xrefs: 000C0133

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 896e4f6a4efe6fa7afd2ebf4570da8b85462edd6da8f69bd9c6dabd56bcc5353
Instruction ID: 5f2441e41c25d255c5985a20058bbf6c32aacb08104251fb2d02201ad591557f
Opcode Fuzzy Hash: 896e4f6a4efe6fa7afd2ebf4570da8b85462edd6da8f69bd9c6dabd56bcc5353
Instruction Fuzzy Hash: FD21F632A45711EBE7115BA4AC0AFAEB3E4EB04B51F14012DFC45F7A92DBB09C40CA90

Function 001030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0010318D
_wcslen.LIBCMT ref: 001031F8

Strings

INSTANCE, xrefs: 00103453
REGEXPCLASS, xrefs: 00103255, 00103266
CLASSNN, xrefs: 001031F3, 00103204
CLASS, xrefs: 00103188, 001031A5
TEXT, xrefs: 0010347C
NAME, xrefs: 00103335, 00103346

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b4665c3bd5e95ab7a8eb4da769ad5305fdb8a93ac47fae6e7454bf2602bbb4fa
Instruction ID: e5141a24edb1470b102439f3d01c5d2e36e8cb47f69b67c8fa1347ba350c674a
Opcode Fuzzy Hash: b4665c3bd5e95ab7a8eb4da769ad5305fdb8a93ac47fae6e7454bf2602bbb4fa
Instruction Fuzzy Hash: B8E10732A005169BCB189FA8C851BEDFBB9BF14710F558119E4A6F72C1DBB0AE45C790

Function 001144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0013CC08), ref: 00114527
_wcslen.LIBCMT ref: 0011453B
_wcslen.LIBCMT ref: 00114599
_wcslen.LIBCMT ref: 001145F4
_wcslen.LIBCMT ref: 0011463F
_wcslen.LIBCMT ref: 001146A7

Part of subcall function 000BF9F2: _wcslen.LIBCMT ref: 000BF9FD

GetDriveTypeW.KERNEL32(?,00166BF0,00000061), ref: 00114743

Strings

removable, xrefs: 001145EA, 001145EF
cdrom, xrefs: 0011458F, 00114594
unknown, xrefs: 00114708
ramdisk, xrefs: 001146F1
network, xrefs: 0011469D, 001146A2
fixed, xrefs: 00114635, 0011463A
all, xrefs: 00114531, 00114536

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 4b1e5d85601e64b6ab2dd0e77c541883690e6c04e9235d7e5d6092dc1bada5bb
Instruction ID: ab2453c2ec26bcbad5d4312f854b562ff161c6cabd06a09624ca09c5f4df5235
Opcode Fuzzy Hash: 4b1e5d85601e64b6ab2dd0e77c541883690e6c04e9235d7e5d6092dc1bada5bb
Instruction Fuzzy Hash: 30B1E6716083029FC718DF28C890AEEB7E5BFA6B64F50492DF496D7292D730D884C792

Function 000A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00171990), ref: 000E2F8D
GetMenuItemCount.USER32(00171990), ref: 000E303D
GetCursorPos.USER32(?), ref: 000E3081
SetForegroundWindow.USER32(00000000), ref: 000E308A
TrackPopupMenuEx.USER32(00171990,00000000,?,00000000,00000000,00000000), ref: 000E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000E30A9

Strings

0, xrefs: 000A327D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 4155031d25f5d328864ce25ab8c19232f9e8ab783fbd66315556899188c0bd0d
Instruction ID: f90071728bbcc770a43d4d86dc486376fd5c0ac33d7899f841c31c9df2cf2a51
Opcode Fuzzy Hash: 4155031d25f5d328864ce25ab8c19232f9e8ab783fbd66315556899188c0bd0d
Instruction Fuzzy Hash: 38711571644255BEEB219F65CC89FAEBFA8FF05324F204226F5247A1E1C7B1AD50CB90

Function 00136CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00136DEB

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00136E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00136E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00136E94
DestroyWindow.USER32(?), ref: 00136EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000A0000,00000000), ref: 00136EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00136EFD
GetDesktopWindow.USER32 ref: 00136F16
GetWindowRect.USER32(00000000), ref: 00136F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00136F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00136F4D

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

Strings

tooltips_class32, xrefs: 00136E58, 00136EDD
0, xrefs: 00136D98

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5b51770cd9ba40b082d4de47a5aa511a74f8ca88064a6a9af75be559acb5dddd
Instruction ID: 376ae375eb164a9f5add3ecb55c62b12149ae47f2950174f70c2bcaccd425a37
Opcode Fuzzy Hash: 5b51770cd9ba40b082d4de47a5aa511a74f8ca88064a6a9af75be559acb5dddd
Instruction Fuzzy Hash: A8716874104244AFDB21CF18DC54FAABBF9FB89304F04482DFA9997261C771E98ACB61

Function 0013911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00139147

Part of subcall function 00137674: ClientToScreen.USER32(?,?), ref: 0013769A
Part of subcall function 00137674: GetWindowRect.USER32(?,?), ref: 00137710
Part of subcall function 00137674: PtInRect.USER32(?,?,00138B89), ref: 00137720

SendMessageW.USER32(?,000000B0,?,?), ref: 001391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00139225
SendMessageW.USER32(?,000000B0,?,?), ref: 0013923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00139255
SendMessageW.USER32(?,000000B1,?,?), ref: 00139277
DragFinish.SHELL32(?), ref: 0013927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00139371

Strings

@GUI_DROPID, xrefs: 0013929E
@GUI_DRAGFILE, xrefs: 00139320
@GUI_DRAGID, xrefs: 001392E9

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: a4a4b1737acf192d9e53f11afb5217d7a813b324921c775c0598ef56b117a10b
Instruction ID: 9ea240f512d7ea2b3b517265c81f3a0da579b9094bb4f1894a82110965434d60
Opcode Fuzzy Hash: a4a4b1737acf192d9e53f11afb5217d7a813b324921c775c0598ef56b117a10b
Instruction Fuzzy Hash: F3614971108301AFD701EFA4DC85DAFBBE8FF89750F40092DF595922A1DB709A49CB92

Function 0011C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0011C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0011C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0011C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0011C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0011C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0011C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0011C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0011C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0011C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0011C5F0
InternetCloseHandle.WININET(00000000), ref: 0011C5FB

Strings

, xrefs: 0011C575

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 658e6a5882beb04ded93d7d5ab59b88847f2b59f50cdca5e496fb63c5855386a
Instruction ID: ebfb48ce679ba947876abe3949c84ebbee86c85f9206bc5d6b5b6451a7069743
Opcode Fuzzy Hash: 658e6a5882beb04ded93d7d5ab59b88847f2b59f50cdca5e496fb63c5855386a
Instruction Fuzzy Hash: D5514DB1640605BFEB258FA4C948AFB7BFDFF08754F004429F94596610DB34E984DBA1

Function 0013856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00138592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001385BA
GlobalLock.KERNEL32(00000000), ref: 001385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001385D7
GlobalUnlock.KERNEL32(00000000), ref: 001385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0013FC38,?), ref: 00138611
GlobalFree.KERNEL32(00000000), ref: 00138621
GetObjectW.GDI32(?,00000018,?), ref: 00138641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00138671
DeleteObject.GDI32(?), ref: 00138699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001386AF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 215fc42620b50ab498e06d27c661680304d1ad9debee64073ec849e3d5befe1f
Instruction ID: 3167cf333de589df58d18fe11744f628a99fbf00d4bce69702517ef23c271712
Opcode Fuzzy Hash: 215fc42620b50ab498e06d27c661680304d1ad9debee64073ec849e3d5befe1f
Instruction Fuzzy Hash: C9410A75600204AFDB119FA5DC89EAB7BB8FF89715F108158F909E7260DB309D41DF60

Function 001114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00111502
VariantCopy.OLEAUT32(?,?), ref: 0011150B
VariantClear.OLEAUT32(?), ref: 00111517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00111657
VariantInit.OLEAUT32(?), ref: 00111708
SysFreeString.OLEAUT32(?), ref: 0011178C
VariantClear.OLEAUT32(?), ref: 001117D8
VariantClear.OLEAUT32(?), ref: 001117E7
VariantInit.OLEAUT32(00000000), ref: 00111823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00111625
Default, xrefs: 001116AF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b22ccf815d96219f32e8b8d581989868bca61b4899247df84621ad3858a27928
Instruction ID: 81ba7e57f84cf03b52eadf8514eb2f4d9a360008143c86ec54a066d6104d0cf2
Opcode Fuzzy Hash: b22ccf815d96219f32e8b8d581989868bca61b4899247df84621ad3858a27928
Instruction Fuzzy Hash: F3D10031A04515EBDB189F64D885BFDF7B6BF46700F118066F646AB681DB30EC80DBA2

Function 0012B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 0012C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012C9F1
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA68
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0012B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0012B80A
RegCloseKey.ADVAPI32(?), ref: 0012B87E
RegCloseKey.ADVAPI32(?), ref: 0012B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0012B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0012B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0012B922
FreeLibrary.KERNEL32(00000000), ref: 0012B983
RegCloseKey.ADVAPI32(00000000), ref: 0012B994

Strings

advapi32.dll, xrefs: 0012B8ED
RegDeleteKeyExW, xrefs: 0012B8FE

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 4be20a20a381475a767a9e9842f69bd71ea37edea639d97775b3197a63bb79a4
Instruction ID: f81f92da836a643c62d5415a47024ea802d6238feafafb600ff1257224dffff9
Opcode Fuzzy Hash: 4be20a20a381475a767a9e9842f69bd71ea37edea639d97775b3197a63bb79a4
Instruction Fuzzy Hash: 57C1A934208211AFD714DF64D4D5F6ABBE5BF85308F14849CF5AA8B2A2CB31ED95CB81

Function 0012255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001225E8
CreateCompatibleDC.GDI32(?), ref: 001225F4
SelectObject.GDI32(00000000,?), ref: 00122601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0012266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001226D0
SelectObject.GDI32(?,?), ref: 001226D8
DeleteObject.GDI32(?), ref: 001226E1
DeleteDC.GDI32(?), ref: 001226E8
ReleaseDC.USER32(00000000,?), ref: 001226F3

Strings

(, xrefs: 0012268D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 37199e1c778986ecc93668d4b0fa99f3bb3a358febf4c76ee340e6a0377517fd
Instruction ID: 9a001349a61ee1c40bccc72ac1353bda7d064c4157a5109f514df87b232615d5
Opcode Fuzzy Hash: 37199e1c778986ecc93668d4b0fa99f3bb3a358febf4c76ee340e6a0377517fd
Instruction Fuzzy Hash: F661E2B6D00219EFCF14CFA4D884AAEBBB6FF48310F208529E955B7250D774A951DFA0

Function 000DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 000DDAA1

Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD659
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD66B
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD67D
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD68F
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6A1
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6B3
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6C5
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6D7
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6E9
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6FB
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD70D
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD71F
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD731

_free.LIBCMT ref: 000DDA96

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000DDAB8
_free.LIBCMT ref: 000DDACD
_free.LIBCMT ref: 000DDAD8
_free.LIBCMT ref: 000DDAFA
_free.LIBCMT ref: 000DDB0D
_free.LIBCMT ref: 000DDB1B
_free.LIBCMT ref: 000DDB26
_free.LIBCMT ref: 000DDB5E
_free.LIBCMT ref: 000DDB65
_free.LIBCMT ref: 000DDB82
_free.LIBCMT ref: 000DDB9A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c80158b80ee93849bc8cf57611086b95e01c3c21b54f3a2e56bcdb9940513501
Instruction ID: b74565648e60b690526ab0fdd928aaff61e5e694e6f87d922063476317059a86
Opcode Fuzzy Hash: c80158b80ee93849bc8cf57611086b95e01c3c21b54f3a2e56bcdb9940513501
Instruction Fuzzy Hash: 8D313931604705DFEB61AA39E845BAAB7E9FF10324F15841BE459D7392EB31EC409B30

Function 0010365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0010369C
_wcslen.LIBCMT ref: 001036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00103797
GetClassNameW.USER32(?,?,00000400), ref: 0010380C
GetDlgCtrlID.USER32(?), ref: 0010385D
GetWindowRect.USER32(?,?), ref: 00103882
GetParent.USER32(?), ref: 001038A0
ScreenToClient.USER32(00000000), ref: 001038A7
GetClassNameW.USER32(?,?,00000100), ref: 00103921
GetWindowTextW.USER32(?,?,00000400), ref: 0010395D

Strings

%s%u, xrefs: 00103734

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2a2330698c6aaed6360eb5f9f5b882998fcd5ab2d6cf1be9427dfb2760a80276
Instruction ID: f1c482ae5d75ab69ea6ac67e5715bda84705e3ba7881b80c10324a6e2ccbc3a8
Opcode Fuzzy Hash: 2a2330698c6aaed6360eb5f9f5b882998fcd5ab2d6cf1be9427dfb2760a80276
Instruction Fuzzy Hash: 0491AE71204606AFD719DF24C885FEAB7ACFF44354F008629F9E9D2191DBB0EA45CB91

Function 00104954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00104994
GetWindowTextW.USER32(?,?,00000400), ref: 001049DA
_wcslen.LIBCMT ref: 001049EB
CharUpperBuffW.USER32(?,00000000), ref: 001049F7
_wcsstr.LIBVCRUNTIME ref: 00104A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00104A64
GetWindowTextW.USER32(?,?,00000400), ref: 00104A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00104AE6
GetClassNameW.USER32(?,?,00000400), ref: 00104B20
GetWindowRect.USER32(?,?), ref: 00104B8B

Strings

ThumbnailClass, xrefs: 00104A6F, 00104AF1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b11ca1d717442d8b4d2b6a4b004b57663940be584aca72b903d96352c1c766e0
Instruction ID: 420224d8484641ae6c2c59bd2df630c6c4a8f3ddc3db852835beacfaa9720bb0
Opcode Fuzzy Hash: b11ca1d717442d8b4d2b6a4b004b57663940be584aca72b903d96352c1c766e0
Instruction Fuzzy Hash: 7991AAB21042059BDB04DF14C9C5BAA7BE8FF84314F048469FEC69A1D6EBB4ED45CBA1

Function 00138D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00138D5A
GetFocus.USER32 ref: 00138D6A
GetDlgCtrlID.USER32(00000000), ref: 00138D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00138E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00138ECF
GetMenuItemCount.USER32(?), ref: 00138EEC
GetMenuItemID.USER32(?,00000000), ref: 00138EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00138F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00138F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00138FA1

Strings

0, xrefs: 00138E9F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 5f54c2b07d3327b17b88227cf440fae38909fa30a146b088bd1b3f3fa1d9c8b3
Instruction ID: 9bc28093372a50b7dd1c61e9659859d9ea8c5dd61a6eb6239cd82088889483af
Opcode Fuzzy Hash: 5f54c2b07d3327b17b88227cf440fae38909fa30a146b088bd1b3f3fa1d9c8b3
Instruction Fuzzy Hash: F881A071608301AFD720DF24C884EABBBE9FF88754F14092DF995A7291DB70D945CBA1

Function 0010DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0010DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0010DC46
_wcslen.LIBCMT ref: 0010DC50
_wcsstr.LIBVCRUNTIME ref: 0010DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0010DCBC

Strings

%u.%u.%u.%u, xrefs: 0010DD9A
\VarFileInfo\Translation, xrefs: 0010DCB4
StringFileInfo\, xrefs: 0010DC8F
04090000, xrefs: 0010DCF2
DefaultLangCodepage, xrefs: 0010DD1F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 8c7cc45966f835f307cbe30875569a8205a16b64cf8bad44c81e0fc2623d3209
Instruction ID: 5dc99cc7a7e11be18fe3e7969affc9c7e5dce4395f4493abe18860f1ff061f39
Opcode Fuzzy Hash: 8c7cc45966f835f307cbe30875569a8205a16b64cf8bad44c81e0fc2623d3209
Instruction Fuzzy Hash: 9D41DF32A402057AEB14A7B4AC47EFF77ACEF52750F10006AF900A61D3EBB4DA1187A5

Function 0012CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0012CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0012CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0012CD48

Part of subcall function 0012CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0012CCAA
Part of subcall function 0012CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0012CCBD
Part of subcall function 0012CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0012CCCF
Part of subcall function 0012CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0012CD05
Part of subcall function 0012CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0012CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0012CCF3

Strings

advapi32.dll, xrefs: 0012CCB8
RegDeleteKeyExW, xrefs: 0012CCC9

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c5c14975cedfc93fb0fc4247eece9c39d562edfc614bc3d0cc76dca2f9dc7c18
Instruction ID: bf2a8021a2d49347708bbf688f012b8c9c02d21ae8a009ec58c559ada4f774b6
Opcode Fuzzy Hash: c5c14975cedfc93fb0fc4247eece9c39d562edfc614bc3d0cc76dca2f9dc7c18
Instruction Fuzzy Hash: 64315E75901129BBD7208BA5EC88EFFBB7CEF55750F000165FA05E3140D7749A959BE0

Function 00113D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00113D40
_wcslen.LIBCMT ref: 00113D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00113D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00113DBE
RemoveDirectoryW.KERNEL32(?), ref: 00113DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00113E55
CloseHandle.KERNEL32(00000000), ref: 00113E60
CloseHandle.KERNEL32(00000000), ref: 00113E6B

Strings

\, xrefs: 00113D77
:, xrefs: 00113D82
\??\%s, xrefs: 00113D5B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 928a8d3d0cefe8153b012726094cd230bc2014e3a2373288e0f3d876fc86ac82
Instruction ID: e2dd9424bc639633f4e21dc22df0cb67d2cd04e4f50adb19f2491381dc36a437
Opcode Fuzzy Hash: 928a8d3d0cefe8153b012726094cd230bc2014e3a2373288e0f3d876fc86ac82
Instruction Fuzzy Hash: 9B31B272900209ABDF209BA0DC49FEF37BDEF88710F5040B5F515E60A5EB7497848B64

Function 0010E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0010E6B4

Part of subcall function 000BE551: timeGetTime.WINMM(?,?,0010E6D4), ref: 000BE555

Sleep.KERNEL32(0000000A), ref: 0010E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0010E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0010E727
SetActiveWindow.USER32 ref: 0010E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0010E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0010E773
Sleep.KERNEL32(000000FA), ref: 0010E77E
IsWindow.USER32 ref: 0010E78A
EndDialog.USER32(00000000), ref: 0010E79B

Strings

BUTTON, xrefs: 0010E719

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 14a6318a7c06744bba4bb96b73e10b4a9894740a6cbd202b6e52585b50844b77
Instruction ID: c806b96bbd2a8fb597db194706527f723710bf5dbb1846689b91ec2fe13436e6
Opcode Fuzzy Hash: 14a6318a7c06744bba4bb96b73e10b4a9894740a6cbd202b6e52585b50844b77
Instruction Fuzzy Hash: 1C21A8B0200204FFEB006F65EC89A253BB9F754349F244825F95A929F1DBF19CC19B94

Function 0010E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0010EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0010EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0010EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0010EAA7

Strings

close PlayMe, xrefs: 0010EA6E, 0010EA9B
play PlayMe, xrefs: 0010EAA2
alias PlayMe, xrefs: 0010EA36
status PlayMe mode, xrefs: 0010EA58
open , xrefs: 0010EA0C
play PlayMe wait, xrefs: 0010EA91

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d573965e714ac9696401c961a78914ace72013e9c87a64d17c8ca8d8e95a3514
Instruction ID: 7d3e6938f98e51ea0079b12c46253eb8273977601452fdf8856b70e9e2aee98a
Opcode Fuzzy Hash: d573965e714ac9696401c961a78914ace72013e9c87a64d17c8ca8d8e95a3514
Instruction Fuzzy Hash: 5D117731B50219BDD710A7A2DC4ADFF6ABCEBD6B44F4408297801A30D1DFB00D55C5B0

Function 00105CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00105CE2
GetWindowRect.USER32(00000000,?), ref: 00105CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00105D59
GetDlgItem.USER32(?,00000002), ref: 00105D69
GetWindowRect.USER32(00000000,?), ref: 00105D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00105DCF
GetDlgItem.USER32(?,000003E9), ref: 00105DDD
GetWindowRect.USER32(00000000,?), ref: 00105DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00105E31
GetDlgItem.USER32(?,000003EA), ref: 00105E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00105E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00105E67

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 8f0bb39cd7756f07134ce1dd678ab9378aae62f0539733ed9ad4218b84a6c14f
Instruction ID: 9a7e439c34c38437ef138a7c0591ecc39df1239a4fc36e35dc8ff3920d0ad6d0
Opcode Fuzzy Hash: 8f0bb39cd7756f07134ce1dd678ab9378aae62f0539733ed9ad4218b84a6c14f
Instruction Fuzzy Hash: 325100B5A00615AFDF18CFA8DD89AAEBBB6FB48310F148129F915E6690D7709D40CF50

Function 000B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B8BE8,?,00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000B8FC5

DestroyWindow.USER32(?), ref: 000B8C81
KillTimer.USER32(00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 000F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000B8BBA,00000000), ref: 000F69D4
DeleteObject.GDI32(00000000), ref: 000F69E6

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 749c0161e3aed4f0aaf8536705139998ca8135c7222207754280f37ee87ea5a6
Instruction ID: fdbe90386c7a32aad15df40596f4e7c488cda9e92622ef7c06c64bca861d0ed0
Opcode Fuzzy Hash: 749c0161e3aed4f0aaf8536705139998ca8135c7222207754280f37ee87ea5a6
Instruction Fuzzy Hash: E261BA71102605EFCB758F18C948BA9BBF5FB40316F14851CE246AAD70CB72A8C1EF91

Function 000B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

GetSysColor.USER32(0000000F), ref: 000B9862

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5c839421d4b9e21d857a444a2eb6f38e58ec403995f88c5bed015c7165167c63
Instruction ID: 11eede397e0982e5052b0eed6e4a0bba46c73e806b80f850342ef9b5f49c0ba5
Opcode Fuzzy Hash: 5c839421d4b9e21d857a444a2eb6f38e58ec403995f88c5bed015c7165167c63
Instruction Fuzzy Hash: EB419F31104644AFDB215F389C84BF93BB5EB46330F144619FBA6972E1CB719C82EB61

Function 001096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,000EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00109717
LoadStringW.USER32(00000000,?,000EF7F8,00000001), ref: 00109720

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,000EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00109742
LoadStringW.USER32(00000000,?,000EF7F8,00000001), ref: 00109745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00109866

Strings

Line %d:, xrefs: 001097A0
Error: , xrefs: 0010981D
^ ERROR, xrefs: 001097FB
Line %d (File "%s"):, xrefs: 0010978F
%s (%d) : ==> %s: %s %s, xrefs: 0010984A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8d6d1ce038871b3f63f087f0e330501865b1b90fae12b7dd85f78658046adda8
Instruction ID: 94ff3cc693cc57e2ab9e1b66b7ebc79242c1e843860baf78dfbb9b731a9c53b0
Opcode Fuzzy Hash: 8d6d1ce038871b3f63f087f0e330501865b1b90fae12b7dd85f78658046adda8
Instruction Fuzzy Hash: 51413A72900219AACF04EBE0CE96DEEB778AF56340F504025F60672093EF756F49CBA1

Function 001006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00100804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0010082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00100837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0010083C

Strings

\CLSID, xrefs: 00100724
SOFTWARE\Classes\, xrefs: 0010070E
\IPC$, xrefs: 00100784

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 8939d5b70192f08bd0214f6c998bec410727397206c0460572200f1744a135fc
Instruction ID: f22294a3356c621ecfabc7626b396bb25c5f2cd12d3fe259971d60882eb2b0f0
Opcode Fuzzy Hash: 8939d5b70192f08bd0214f6c998bec410727397206c0460572200f1744a135fc
Instruction Fuzzy Hash: 61411672D10229ABCF15EBA4DC85DEEB778BF09350F448129F941B31A1EB749E44CBA0

Function 00123C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00123C5C
CoInitialize.OLE32(00000000), ref: 00123C8A
CoUninitialize.OLE32 ref: 00123C94
_wcslen.LIBCMT ref: 00123D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00123DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00123ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00123F0E
CoGetObject.OLE32(?,00000000,0013FB98,?), ref: 00123F2D
SetErrorMode.KERNEL32(00000000), ref: 00123F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00123FC4
VariantClear.OLEAUT32(?), ref: 00123FD8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 152f211513f5d51d1aa2a3d3d8867e6e90fb096874c73688372629209d9acb2e
Instruction ID: e10f7268237f245bdd2dcb4884fd5144e2dfeea4ecf955c4defcea9537ed2f51
Opcode Fuzzy Hash: 152f211513f5d51d1aa2a3d3d8867e6e90fb096874c73688372629209d9acb2e
Instruction Fuzzy Hash: 21C16571608315AFC700DF68D88496BBBE9FF89744F00491DF99A9B211DB30EE56CB92

Function 00117A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00117AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00117B8F
SHGetDesktopFolder.SHELL32(?), ref: 00117BA3
CoCreateInstance.OLE32(0013FD08,00000000,00000001,00166E6C,?), ref: 00117BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00117C74
CoTaskMemFree.OLE32(?,?), ref: 00117CCC
SHBrowseForFolderW.SHELL32(?), ref: 00117D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00117D7A
CoTaskMemFree.OLE32(00000000), ref: 00117D81
CoTaskMemFree.OLE32(00000000), ref: 00117DD6
CoUninitialize.OLE32 ref: 00117DDC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a804de5b61bd7efb566f334f15aa3d0aeb7dad95fb8ecd3cdecb9bbeab8bcd4e
Instruction ID: be92bd425aeb846f669ba427735bf0f677cb1608e8641cfb32d37a41fa322c3c
Opcode Fuzzy Hash: a804de5b61bd7efb566f334f15aa3d0aeb7dad95fb8ecd3cdecb9bbeab8bcd4e
Instruction Fuzzy Hash: D1C11D75A04109AFCB14DFA4C884DAEBBF5FF49314B1484A9E41A9B762D730EE81CB90

Function 0013541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00135504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00135515
CharNextW.USER32(00000158), ref: 00135544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00135585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0013559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001355AC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: ead622112451b03e14f683ec10f40f3a466d20d11ef0c58eaf5447c67e2d3eb9
Instruction ID: 3e361bfcf9d2321090fdf19c241f671843ff8f74a353f297301e9bbb003ce44d
Opcode Fuzzy Hash: ead622112451b03e14f683ec10f40f3a466d20d11ef0c58eaf5447c67e2d3eb9
Instruction Fuzzy Hash: 84619D71900608EFDF14CF94CC85AFE7BBAEF09B24F108145F925AB291D7749A80DBA0

Function 000FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 000FFB08
VariantInit.OLEAUT32(?), ref: 000FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000FFB3A
VariantCopy.OLEAUT32(?,?), ref: 000FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000FFBA1
VariantClear.OLEAUT32(?), ref: 000FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 000FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000FFBCC
VariantClear.OLEAUT32(?), ref: 000FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000FFBE9

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2a5a336a13647a5c3d939b80c1ff2f5c64385474f4e2d089a6b0b734d4ef90b3
Instruction ID: e75e80507473f2d96bfd9650de47ea48d77120c263f9fd96891ea6a499239ce3
Opcode Fuzzy Hash: 2a5a336a13647a5c3d939b80c1ff2f5c64385474f4e2d089a6b0b734d4ef90b3
Instruction Fuzzy Hash: 6C415F75A0021ADFCB10DFA4D8549FEBBB9EF48354F008069E915A7661CB30E945DB90

Function 00109C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00109CA1
GetAsyncKeyState.USER32(000000A0), ref: 00109D22
GetKeyState.USER32(000000A0), ref: 00109D3D
GetAsyncKeyState.USER32(000000A1), ref: 00109D57
GetKeyState.USER32(000000A1), ref: 00109D6C
GetAsyncKeyState.USER32(00000011), ref: 00109D84
GetKeyState.USER32(00000011), ref: 00109D96
GetAsyncKeyState.USER32(00000012), ref: 00109DAE
GetKeyState.USER32(00000012), ref: 00109DC0
GetAsyncKeyState.USER32(0000005B), ref: 00109DD8
GetKeyState.USER32(0000005B), ref: 00109DEA

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e171fd1c592a824501f9d22ef5afc030d3fadc217b2b62ef339b53f8a6185ff7
Instruction ID: 7c4203457b9c751c859a70d34a3ff86508561f9b247e4f82607555620c4048cc
Opcode Fuzzy Hash: e171fd1c592a824501f9d22ef5afc030d3fadc217b2b62ef339b53f8a6185ff7
Instruction Fuzzy Hash: 6941DA74A447CA6DFF3197A0C9243B5BEA06F11344F04805ADAC6565C3DBE59DC8C792

Function 0012055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001205BC
inet_addr.WSOCK32(?), ref: 0012061C
gethostbyname.WSOCK32(?), ref: 00120628
IcmpCreateFile.IPHLPAPI ref: 00120636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001207B9
WSACleanup.WSOCK32 ref: 001207BF

Strings

Ping, xrefs: 00120676

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8d1be2f4c34d0bf4e52fdf35de2e013eceb9b153508afaceff5a1bba903121bb
Instruction ID: fa5690bc067ceb7f92c6e4118fe1a2300a8c1e2ffe63276a4cdeaaa54517a918
Opcode Fuzzy Hash: 8d1be2f4c34d0bf4e52fdf35de2e013eceb9b153508afaceff5a1bba903121bb
Instruction Fuzzy Hash: AD91AE356042119FD321CF15E888F1ABBE0EF48318F1586A9F4A99B6A3C770ED95CF91

Function 00128CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00128CF3

Part of subcall function 00108E54: _wcslen.LIBCMT ref: 00108E77

_wcslen.LIBCMT ref: 00128D4E
_wcslen.LIBCMT ref: 00128D9C
_wcslen.LIBCMT ref: 00128DDC
_wcslen.LIBCMT ref: 00128E6E

Strings

winapi, xrefs: 00128D96, 00128D9B
cdecl, xrefs: 00128D48, 00128D4D
stdcall, xrefs: 00128DD6, 00128DDB
none, xrefs: 00128E65, 00128E6A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: dca38c642806c05e90480f09d27fc410dcf28dcb9f5b7d8a51ed6ab4e07be20d
Instruction ID: a145828baf1c5a637787c6586af2c90d721a06100086e20a77f5fafa12358852
Opcode Fuzzy Hash: dca38c642806c05e90480f09d27fc410dcf28dcb9f5b7d8a51ed6ab4e07be20d
Instruction Fuzzy Hash: 3B51B032A0112A9BCB14DFACD9509FEB3A5BF65324B224229E826E72C5DF31DD54C790

Function 0012372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00123774
CoUninitialize.OLE32 ref: 0012377F
CoCreateInstance.OLE32(?,00000000,00000017,0013FB78,?), ref: 001237D9
IIDFromString.OLE32(?,?), ref: 0012384C
VariantInit.OLEAUT32(?), ref: 001238E4
VariantClear.OLEAUT32(?), ref: 00123936

Strings

Failed to create object, xrefs: 001237E4, 0012389A
NULL Pointer assignment, xrefs: 0012381E
Invalid parameter, xrefs: 00123865

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 822500aeda449e9266c7e28ad5bd91bdc7ba90d2e5db641eac80abe45b9bca2d
Instruction ID: b68f57d8c11ce2da4efb789f06bc214a2a07995aca39eb0c7a42e7e311940921
Opcode Fuzzy Hash: 822500aeda449e9266c7e28ad5bd91bdc7ba90d2e5db641eac80abe45b9bca2d
Instruction Fuzzy Hash: 7C61F370608321AFD711DF64D848FAAB7E8EF49714F00090DF9959B291D774EE98CBA2

Function 00118195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00118257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00118267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00118273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00118310
SetCurrentDirectoryW.KERNEL32(?), ref: 00118324
SetCurrentDirectoryW.KERNEL32(?), ref: 00118356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0011838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00118395

Strings

*.*, xrefs: 0011839B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 347752e031c908be2564318d14faf028c32e39112dbada8a3c3a861262a6bab7
Instruction ID: f469b5d4f186fceea2730f63385d34dd8f136d91cd00891cda215d51ef07d425
Opcode Fuzzy Hash: 347752e031c908be2564318d14faf028c32e39112dbada8a3c3a861262a6bab7
Instruction Fuzzy Hash: 75616B725047059FC714EF64C840AEEB3E8FF89314F04892EF99997252EB31E985CB92

Function 00113388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001133CF

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001133F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00113504
^ ERROR , xrefs: 0011349E
Error: , xrefs: 001134D1
"%s" (%d) : ==> %s:, xrefs: 00113522
Incorrect parameters to object property !, xrefs: 001134AB
Line %d (File "%s"):, xrefs: 00113443, 0011345C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3d508e70261f0713df4c711474b019328b06d8cf58336b3125704adaf97d0d5c
Instruction ID: 22b903ca1272e91e776b80f518dc22239590511617c46cea1362d43b4fcbc66d
Opcode Fuzzy Hash: 3d508e70261f0713df4c711474b019328b06d8cf58336b3125704adaf97d0d5c
Instruction Fuzzy Hash: 3A518D72A00209BADF19EBE0CD42EEEB779AF15740F204065F405720A2EF352F98DB60

Function 0010B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0010B5FC
_wcslen.LIBCMT ref: 0010B608
_wcslen.LIBCMT ref: 0010B64D
_wcslen.LIBCMT ref: 0010B68C
_wcslen.LIBCMT ref: 0010B6C7

Strings

KEYS, xrefs: 0010B647, 0010B64C
APPEND, xrefs: 0010B6C1, 0010B6C6
REMOVE, xrefs: 0010B602, 0010B607
EXISTS, xrefs: 0010B686, 0010B68B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: cbd0a62ec50a280ae518c1ccf3f8194eb51c53ec21cc37a0afc18d48e82241ff
Instruction ID: fe2ec96b3e4817f5b59c45ea5338aa02b31a223e065f2cf3e49d1618d5fd4d12
Opcode Fuzzy Hash: cbd0a62ec50a280ae518c1ccf3f8194eb51c53ec21cc37a0afc18d48e82241ff
Instruction Fuzzy Hash: A041F632A080279BCB206F7DCDD05BE77A5BFA1B54B254229E4A1DB2C4E772CD81C790

Function 00115393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00115416
GetLastError.KERNEL32 ref: 00115420
SetErrorMode.KERNEL32(00000000,READY), ref: 001154A7

Strings

INVALID, xrefs: 00115459
READONLY, xrefs: 00115452
UNKNOWN, xrefs: 00115444
READY, xrefs: 00115460, 00115468
NOTREADY, xrefs: 0011544B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1f7028ca71af39749a53d73caba58272fa449c860f4712abd1918976324967f0
Instruction ID: 18974693e5f9c01908b0cb2c1adf503962c8149e6d4cfad5b635a35447993cfe
Opcode Fuzzy Hash: 1f7028ca71af39749a53d73caba58272fa449c860f4712abd1918976324967f0
Instruction Fuzzy Hash: 4031C135A00604DFD718DFA8C884BEABBB5EF85345F148065E405DB692EB71DDC2CBA0

Function 00133C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00133C79
SetMenu.USER32(?,00000000), ref: 00133C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00133D10
IsMenu.USER32(?), ref: 00133D24
CreatePopupMenu.USER32 ref: 00133D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00133D5B
DrawMenuBar.USER32 ref: 00133D63

Strings

F, xrefs: 00133D4E
0, xrefs: 00133C54

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 6f0a6c18d4f13e546b97fcabc65e556a1fdb96be583c2ace04f967559377fab2
Instruction ID: 114fbf5baef3274cd1b08f7fd6cb38aba4f4b41ed54343e00912b0c567c2f7b8
Opcode Fuzzy Hash: 6f0a6c18d4f13e546b97fcabc65e556a1fdb96be583c2ace04f967559377fab2
Instruction Fuzzy Hash: AF414879A01209EFDB14CFA4D884EEA7BB5FF49350F140029FA56A7360D770AA50CF98

Function 00101EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 00103CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00103CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00101F64
GetDlgCtrlID.USER32 ref: 00101F6F
GetParent.USER32 ref: 00101F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00101F8E
GetDlgCtrlID.USER32(?), ref: 00101F97
GetParent.USER32(?), ref: 00101FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00101FAE

Strings

ListBox, xrefs: 00101F21
ComboBox, xrefs: 00101EEC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 48d5058692d812c7964f327d56b7844521f1ab170b1649bb5c5b023923163787
Instruction ID: 6e999cf270e1cc58c95f6fda630138a67db01f1f7a7deb4e313a63154f0e1dbc
Opcode Fuzzy Hash: 48d5058692d812c7964f327d56b7844521f1ab170b1649bb5c5b023923163787
Instruction Fuzzy Hash: B321F6B0A00214BBCF04AFA0CC85DFEBBB9EF16350F004115F9A1A72D1CB785958DBA0

Function 00133A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00133A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00133AA0
GetWindowLongW.USER32(?,000000F0), ref: 00133AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00133AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00133B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00133BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00133BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00133BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00133BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00133C13

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 0ed1ccb8408ba320da8417ebd57259adba93370fbc077a40bd1aaa5512b452f9
Instruction ID: 9c1f1fdd636dc62b19926cc330e33dc55a98df373a9b754618cce54206a8fbab
Opcode Fuzzy Hash: 0ed1ccb8408ba320da8417ebd57259adba93370fbc077a40bd1aaa5512b452f9
Instruction Fuzzy Hash: F8617C75900248AFDB10DFA8CC81EEE77F8EB09704F10419AFA15A72A1C774AE85DB54

Function 000D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000D2C94

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000D2CA0
_free.LIBCMT ref: 000D2CAB
_free.LIBCMT ref: 000D2CB6
_free.LIBCMT ref: 000D2CC1
_free.LIBCMT ref: 000D2CCC
_free.LIBCMT ref: 000D2CD7
_free.LIBCMT ref: 000D2CE2
_free.LIBCMT ref: 000D2CED
_free.LIBCMT ref: 000D2CFB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b1cc9a40cdd9756d686725c8f8c52e712fc5ccaea88776d2653d42e39dd54614
Instruction ID: a7da965033a8330edf9845b9ae407ad7c77a052f92128d1779eb15d892fb70db
Opcode Fuzzy Hash: b1cc9a40cdd9756d686725c8f8c52e712fc5ccaea88776d2653d42e39dd54614
Instruction Fuzzy Hash: 41119376100208AFCB02EF54D992CDD7BA5FF15350F4144A6FA489B322DA31EE50ABA0

Function 00117DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00117FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00117FC1
GetFileAttributesW.KERNEL32(?), ref: 00117FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00118005
SetCurrentDirectoryW.KERNEL32(?), ref: 00118017
SetCurrentDirectoryW.KERNEL32(?), ref: 00118060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001180B0

Strings

*.*, xrefs: 00118066

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dae851f3f8179ff41a767e94b2dd1a2b97ce79b8beb5a258355489134f6d2c9f
Instruction ID: 9862043420c78336deca3563a0c4bc96b05602395823ddb36ac20317220770ae
Opcode Fuzzy Hash: dae851f3f8179ff41a767e94b2dd1a2b97ce79b8beb5a258355489134f6d2c9f
Instruction Fuzzy Hash: 1C8190725082459BCB28EF54C844AEEB3E9BB89310F148C6EF885D7291DB34DD85CB92

Function 000A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 000A5C7A

Part of subcall function 000A5D0A: GetClientRect.USER32(?,?), ref: 000A5D30
Part of subcall function 000A5D0A: GetWindowRect.USER32(?,?), ref: 000A5D71
Part of subcall function 000A5D0A: ScreenToClient.USER32(?,?), ref: 000A5D99

GetDC.USER32 ref: 000E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000E4708
SelectObject.GDI32(00000000,00000000), ref: 000E4716
SelectObject.GDI32(00000000,00000000), ref: 000E472B
ReleaseDC.USER32(?,00000000), ref: 000E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000E47C4

Strings

U, xrefs: 000E4693

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7b9ed7f0d45a9774ac8c650dd51ef45f1e4b87229ffcba7177bca2a83efcc47f
Instruction ID: 2cf8ebbaa73e46529f8b5f29f50a514a4f3e88394c5074b99c0aac8e4ac6b61f
Opcode Fuzzy Hash: 7b9ed7f0d45a9774ac8c650dd51ef45f1e4b87229ffcba7177bca2a83efcc47f
Instruction Fuzzy Hash: E471E030404245EFCF218FA5CD84AEE7BF5FF4A365F144269ED956A2AAC7308881DF90

Function 0011359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001135E4

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

LoadStringW.USER32(00172390,?,00000FFF,?), ref: 0011360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00113724
"%s" (%d) : ==> %s:, xrefs: 00113742
Error: , xrefs: 001136EF
^ ERROR, xrefs: 001136C9
Line %d (File "%s"):, xrefs: 0011366B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8f8d7089d4e80f0f3316b17670b3ab60ba7a0f7cd58f00b681b7390059c032a3
Instruction ID: a81945ff591e595973fa7ccffb4ec51f74385eb2b0029d2cbceb6c148e57e2d8
Opcode Fuzzy Hash: 8f8d7089d4e80f0f3316b17670b3ab60ba7a0f7cd58f00b681b7390059c032a3
Instruction Fuzzy Hash: F9515B72900219BADF19EBE0CC42EEEBB78AF15350F144125F515721A2EB311BD9DFA1

Function 00138B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

Part of subcall function 000B912D: GetCursorPos.USER32(?), ref: 000B9141
Part of subcall function 000B912D: ScreenToClient.USER32(00000000,?), ref: 000B915E
Part of subcall function 000B912D: GetAsyncKeyState.USER32(00000001), ref: 000B9183
Part of subcall function 000B912D: GetAsyncKeyState.USER32(00000002), ref: 000B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00138B6B
ImageList_EndDrag.COMCTL32 ref: 00138B71
ReleaseCapture.USER32 ref: 00138B77
SetWindowTextW.USER32(?,00000000), ref: 00138C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00138C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00138CFF

Strings

@GUI_DROPID, xrefs: 00138C51
@GUI_DRAGFILE, xrefs: 00138C9A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: cca2103769468bd1215b866206654a2feda4147406da54fae50e8c7464ca0cee
Instruction ID: e190a02cafc57fa32824497489867e976d55ac91fbacdae5dd719c0950c35890
Opcode Fuzzy Hash: cca2103769468bd1215b866206654a2feda4147406da54fae50e8c7464ca0cee
Instruction Fuzzy Hash: CC518C71204304AFD704DF54DC56FAA77E4FB89754F400A2DF956672E2CB70A944CBA2

Function 0011C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0011C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0011C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0011C2CA
GetLastError.KERNEL32 ref: 0011C322
SetEvent.KERNEL32(?), ref: 0011C336
InternetCloseHandle.WININET(00000000), ref: 0011C341

Strings

, xrefs: 0011C2BB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 623bac2c573ad94e38f5c2cf56760b6e62a48fdbda11de09f3aee6148c8e04fa
Instruction ID: 59ce6e6ec4a7963bbb93f37b9d82d116bda978b24e83b50fcd62e8073ee0f975
Opcode Fuzzy Hash: 623bac2c573ad94e38f5c2cf56760b6e62a48fdbda11de09f3aee6148c8e04fa
Instruction Fuzzy Hash: C3319FB1544204AFD7259FA58C88AEB7BFCFB49740B10852DF456E2600DB30DD848BE1

Function 0010989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000E3AAF,?,?,Bad directive syntax error,0013CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001098BC
LoadStringW.USER32(00000000,?,000E3AAF,?), ref: 001098C3

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00109987

Strings

Line %d:, xrefs: 00109912
%s (%d) : ==> %s.: %s %s, xrefs: 001098F1
Line %d (File "%s"):, xrefs: 0010992D
., xrefs: 0010996D
Error: , xrefs: 00109955

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 64dcfdb4c120578b8d73be3d1ae9c071010e555e521fd521955af8a3e7171af9
Instruction ID: 550bf45853ee4f647f81d2b4b1291317b42e4d80dfb69ac8d5739a50e4ef1225
Opcode Fuzzy Hash: 64dcfdb4c120578b8d73be3d1ae9c071010e555e521fd521955af8a3e7171af9
Instruction Fuzzy Hash: 04216B3290021AABCF15AF90CC16EEE7779FF19304F044469F515760A3EB719A68DB51

Function 0010209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0010214D

Strings

list, xrefs: 0010212F
SHELLDLL_DefView, xrefs: 001020CC
smallicons, xrefs: 00102115
largeicons, xrefs: 001020E1
details, xrefs: 001020FB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b3368bc5e2e1bae1dcdc32949c1e0fded6d2a39d4629d0cc7b300bbd6ec16bcb
Instruction ID: 1a48e37597a8093aa4ae1cf9198fd71a370674375a60a4be501aa437b491056c
Opcode Fuzzy Hash: b3368bc5e2e1bae1dcdc32949c1e0fded6d2a39d4629d0cc7b300bbd6ec16bcb
Instruction Fuzzy Hash: 471106BA688706B9FB192720DC0BDEA779DDB05324F20011AFB44A50E2EFF168525654

Function 000D8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255d197a70b3ed6c54fe1aa1baa2cc900012747e13ddfef6ffef1b267b56405c
Instruction ID: 60449d88874c83fde2e8314cb3568e5cd8f1f0537b962afbaa228b0d357bceb5
Opcode Fuzzy Hash: 255d197a70b3ed6c54fe1aa1baa2cc900012747e13ddfef6ffef1b267b56405c
Instruction Fuzzy Hash: 2FC1D074A04349AFDB61DFA8D845BEDBFF1AF09310F14819AE519A7392C7309981CB71

Function 000DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000DCEB7
_free.LIBCMT ref: 000DCF22
_free.LIBCMT ref: 000DCF48
_free.LIBCMT ref: 000DCF71
_free.LIBCMT ref: 000DCFA9
_free.LIBCMT ref: 000DCFDA
_free.LIBCMT ref: 000DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 000DD09C
_free.LIBCMT ref: 000DD0B5

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 31198c5d08190fd026f47b736f590f17699658d316a53c389d7ec2d9f5168ed9
Instruction ID: 8d705b30ab6249750265ea4c301a385ea5e875f9dc0ba76f95a55e21bb8d96f1
Opcode Fuzzy Hash: 31198c5d08190fd026f47b736f590f17699658d316a53c389d7ec2d9f5168ed9
Instruction Fuzzy Hash: EE61E2B1904302AFEB21AFB4D895AEDBBE5AF05310F14417FF94997382D6319941D7B0

Function 001350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00135186
ShowWindow.USER32(?,00000000), ref: 001351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001351D1

Part of subcall function 00136FBA: DeleteObject.GDI32(00000000), ref: 00136FE6

GetWindowLongW.USER32(?,000000F0), ref: 0013520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0013521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0013524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00135287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00135296

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5413ff86e85e3f5fbb4c999ff9fe6247af95ad6427d347b7ebd7135880da1dd5
Instruction ID: 1e29fb0845198e9ecab324fd2270b46f86d3d4e641f9acacb74b5044cf700473
Opcode Fuzzy Hash: 5413ff86e85e3f5fbb4c999ff9fe6247af95ad6427d347b7ebd7135880da1dd5
Instruction Fuzzy Hash: 8C51A030A50A08FFEF249F24CC4ABDA3BB7FB05B65F148111FA15A62E1C775A990DB40

Function 000B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000B8874,00000000,00000000,00000000,000000FF,00000000), ref: 000F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000B8874,00000000,00000000,00000000,000000FF,00000000), ref: 000F692D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2da856df7f20babcedda9d7d70449909eb5c100da2c9ae9c5390cc0451ad6f96
Instruction ID: 58a733f0b6e792235397c7fbc650a91e9c421b24b360c3cb0ffc3d8a67441eb7
Opcode Fuzzy Hash: 2da856df7f20babcedda9d7d70449909eb5c100da2c9ae9c5390cc0451ad6f96
Instruction Fuzzy Hash: 55517970600209EFDB20CF28CC55FAA7BF9FB58750F108518FA56A76A0DB71E991EB50

Function 0011C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0011C182
GetLastError.KERNEL32 ref: 0011C195
SetEvent.KERNEL32(?), ref: 0011C1A9

Part of subcall function 0011C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0011C272
Part of subcall function 0011C253: GetLastError.KERNEL32 ref: 0011C322
Part of subcall function 0011C253: SetEvent.KERNEL32(?), ref: 0011C336
Part of subcall function 0011C253: InternetCloseHandle.WININET(00000000), ref: 0011C341

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bb32210dc01f02b34f129c9c62be839df8b953d0bc28906225ef3591ed53ef73
Instruction ID: 72e4fbf9c0f07faad955558e1c4da60a18f27763d3ecd37ebda5bd37cc3b565c
Opcode Fuzzy Hash: bb32210dc01f02b34f129c9c62be839df8b953d0bc28906225ef3591ed53ef73
Instruction Fuzzy Hash: E8318D71280601FFDB299FA5DC48AABBBF9FF18300B04442DF95692A10D730E894DBE0

Function 001025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00103A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00103A57
Part of subcall function 00103A3D: GetCurrentThreadId.KERNEL32 ref: 00103A5E
Part of subcall function 00103A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001025B3), ref: 00103A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00102601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00102605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0010260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00102623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00102627

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1b5ddc945e0dff0747dc8ee075584740109935fd16e7d64ea85576608a7e27d9
Instruction ID: c0f958d05988354b4e63c6b01e7b48bbfa007f971ae65046df3e31bdfabbb3b0
Opcode Fuzzy Hash: 1b5ddc945e0dff0747dc8ee075584740109935fd16e7d64ea85576608a7e27d9
Instruction Fuzzy Hash: 6501D431390210FBFB1067689C8EF993F59DB5EB12F100001F368BF1D1CAF224849AA9

Function 00101803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00101449,?,?,00000000), ref: 0010180C
HeapAlloc.KERNEL32(00000000,?,00101449,?,?,00000000), ref: 00101813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00101449,?,?,00000000), ref: 00101828
GetCurrentProcess.KERNEL32(?,00000000,?,00101449,?,?,00000000), ref: 00101830
DuplicateHandle.KERNEL32(00000000,?,00101449,?,?,00000000), ref: 00101833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00101449,?,?,00000000), ref: 00101843
GetCurrentProcess.KERNEL32(00101449,00000000,?,00101449,?,?,00000000), ref: 0010184B
DuplicateHandle.KERNEL32(00000000,?,00101449,?,?,00000000), ref: 0010184E
CreateThread.KERNEL32(00000000,00000000,00101874,00000000,00000000,00000000), ref: 00101868

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b46a3d1330c9814ba4a1970b5e817effca228c2365aba0969c00367919388349
Instruction ID: 3aef65380b5c84edb2f1cca5b02c6825fb04b763c2590db2518a6e474da505c7
Opcode Fuzzy Hash: b46a3d1330c9814ba4a1970b5e817effca228c2365aba0969c00367919388349
Instruction Fuzzy Hash: 7201BBB5240308FFE710ABA5DC4DF6B3BACEB89B11F008411FA05EB5A1CA74D850DB60

Function 0012A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0010D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0010D501
Part of subcall function 0010D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0010D50F
Part of subcall function 0010D4DC: CloseHandle.KERNEL32(00000000), ref: 0010D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012A16D
GetLastError.KERNEL32 ref: 0012A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0012A268
GetLastError.KERNEL32(00000000), ref: 0012A273
CloseHandle.KERNEL32(00000000), ref: 0012A2C4

Strings

SeDebugPrivilege, xrefs: 0012A18F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9115ec64ef605ede5593e53bf28cc38f66ba1b8b5c0ad1ba92a4cd600c8e3360
Instruction ID: 68180617f1c6764691e5017ca3670d498402a3356a749dd2fc074639e2e9f1ce
Opcode Fuzzy Hash: 9115ec64ef605ede5593e53bf28cc38f66ba1b8b5c0ad1ba92a4cd600c8e3360
Instruction Fuzzy Hash: B961E130204212EFD720DF54D894F15BBE1AF54318F59849CE46A8BBA3C772EC55CB92

Function 00133886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00133925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0013393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00133954
_wcslen.LIBCMT ref: 00133999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001339F4

Strings

SysListView32, xrefs: 001338F7

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 242171b9c7df0b0c45985b364f9420ebb8ddacfe631f6256211af3195c7dcc4e
Instruction ID: 474bdd31b0812a9af257a6e14304bcfe2a0a99077c1ec6f2830e28c234edb9cf
Opcode Fuzzy Hash: 242171b9c7df0b0c45985b364f9420ebb8ddacfe631f6256211af3195c7dcc4e
Instruction Fuzzy Hash: FA41B371A00218ABEF219F64CC49FEA7BA9FF08354F10056AF958E7281D771DE90CB94

Function 0010BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0010BCFD
IsMenu.USER32(00000000), ref: 0010BD1D
CreatePopupMenu.USER32 ref: 0010BD53
GetMenuItemCount.USER32(00C85210), ref: 0010BDA4
InsertMenuItemW.USER32(00C85210,?,00000001,00000030), ref: 0010BDCC

Strings

2, xrefs: 0010BD37
0, xrefs: 0010BCA8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 9abbfe88454e50d42f22e5cc326177d1badd743218811f24d2d9361e68c98227
Instruction ID: 11d493cde7a43f67431e5c1628d4d7eaf241bd9ad3989163299838a7b95542ac
Opcode Fuzzy Hash: 9abbfe88454e50d42f22e5cc326177d1badd743218811f24d2d9361e68c98227
Instruction Fuzzy Hash: 74519C70A0820ADBDB10DFE8D8C8BAEFBF4BF55318F148219E495A72D1D7B09941CB61

Function 0010C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0010C913

Strings

blank, xrefs: 0010C895
info, xrefs: 0010C8B4
question, xrefs: 0010C8CC
warning, xrefs: 0010C8FC
stop, xrefs: 0010C8E4

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ade4b58c374f60780b9a176995246dd393c49970fc6ff89d22dcc031d6950ee0
Instruction ID: 658137d6da350550a9be5a62d14c313fbd562749b2fd102d75b1dbee79b0552e
Opcode Fuzzy Hash: ade4b58c374f60780b9a176995246dd393c49970fc6ff89d22dcc031d6950ee0
Instruction Fuzzy Hash: A7113A32689307BAE7089B54DC83DEE379CDF15318B20412FF944A61C2E7F09E005AE9

Function 0010ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0010ED2A
_wcslen.LIBCMT ref: 0010ED3B
_wcslen.LIBCMT ref: 0010ED79
_wcslen.LIBCMT ref: 0010EDAF
_wcslen.LIBCMT ref: 0010EDDF
_wcslen.LIBCMT ref: 0010EDEF
_wcslen.LIBCMT ref: 0010EE2B
_wcslen.LIBCMT ref: 0010EE5A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e07aba66e84008c646511f2bc91545cc2926cfd8f100939ab336fa8b1c53641a
Instruction ID: 531733a11310b96708f11c07f3f8243a73ebba85e11a3fe907fdf8e19e9cd74d
Opcode Fuzzy Hash: e07aba66e84008c646511f2bc91545cc2926cfd8f100939ab336fa8b1c53641a
Instruction Fuzzy Hash: 79419265C1021875CB11EBF5C88AEDFB7A8EF45710F50886AF518E3162FB34E255C3A5

Function 000BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000F682C,00000004,00000000,00000000), ref: 000BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000F682C,00000004,00000000,00000000), ref: 000FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000F682C,00000004,00000000,00000000), ref: 000FF454

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bb47a33c935360fa8e96e561e019985b6f374e5ce44adadc8f8254e5560fdf22
Instruction ID: 8f9bfdcf3658bbe19bf29747a252066720356dce41d14e96300c022c0991b688
Opcode Fuzzy Hash: bb47a33c935360fa8e96e561e019985b6f374e5ce44adadc8f8254e5560fdf22
Instruction Fuzzy Hash: 55411731608682FAC7799B2D8C887BA7BD2AF56354F14443CE587A3A61C632A9C0DB51

Function 00132D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00132D1B
GetDC.USER32(00000000), ref: 00132D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00132D2E
ReleaseDC.USER32(00000000,00000000), ref: 00132D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00132D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00132D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00135A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00132DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00132DE1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d597db66f3cebe79f5fe56e6218eadcd89334a8dd9a3e10b288c66df6693cfc4
Instruction ID: cedc4b8c37bd8f992e8820cf1e811dd227fd78cadb7c8b1f7d88317a4d9e7e44
Opcode Fuzzy Hash: d597db66f3cebe79f5fe56e6218eadcd89334a8dd9a3e10b288c66df6693cfc4
Instruction Fuzzy Hash: E4318E76201214BFEB218F50CC8AFEB3FADEF09715F044065FE08AA291C6759C90CBA4

Function 00105622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00105637
_memcmp.LIBVCRUNTIME ref: 00105659
_memcmp.LIBVCRUNTIME ref: 00105671
_memcmp.LIBVCRUNTIME ref: 00105684
_memcmp.LIBVCRUNTIME ref: 0010569E
_memcmp.LIBVCRUNTIME ref: 001056B1
_memcmp.LIBVCRUNTIME ref: 001056C9
_memcmp.LIBVCRUNTIME ref: 001056E4

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: af3185d2b68f708faac3ed1f2ad0e40422f603f06b27cd4931d1c534763d62d8
Instruction ID: 890e1d5428e392423123b6d5f0f9b63e0bc15d9fa97f4168050b9e98dcbe9a54
Opcode Fuzzy Hash: af3185d2b68f708faac3ed1f2ad0e40422f603f06b27cd4931d1c534763d62d8
Instruction Fuzzy Hash: 2321AA71A40A09B7D31856118E82FFF335EAF21398F440028FD455A5C2FBE2EE118DA5

Function 00124FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0012502E, 00125383
Not an Object type, xrefs: 00125007

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 880b237586fa5db9159577f9ec7b36c5a68775591b721947faf260a0656b2295
Instruction ID: f81f3ad8d97b65c8bcefcf0e54b0655a50892d531fd03121643d84cc3c61fde4
Opcode Fuzzy Hash: 880b237586fa5db9159577f9ec7b36c5a68775591b721947faf260a0656b2295
Instruction Fuzzy Hash: 19D1B271A0061A9FDF14CF98E8C1BAEB7B6BF48354F148069E915AB281E770DD51CB90

Function 000E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000E17FB,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000E16FB

Part of subcall function 000D3820: RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000E1777
__freea.LIBCMT ref: 000E17A2
__freea.LIBCMT ref: 000E17AE

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f5b5e636d49527e654e13cd2f8e0bc1299cbd5242772146714b1a7f4535107f2
Instruction ID: fe9906a0df7041224c68ccef617b014c254273699fa02b25fdaf5cdfd6e742cc
Opcode Fuzzy Hash: f5b5e636d49527e654e13cd2f8e0bc1299cbd5242772146714b1a7f4535107f2
Instruction Fuzzy Hash: 3B91C472E046969EDB208F76C881EEEBBF5AF49710F184659E851F7181DB35CD40CBA0

Function 00124523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00124648
VariantInit.OLEAUT32(?), ref: 00124749
VariantClear.OLEAUT32(?), ref: 00124753
VariantClear.OLEAUT32(?), ref: 001247B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 001245D8, 00124706, 001247BE
Incorrect Object type in FOR..IN loop, xrefs: 0012472C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1375c7db5386b4528c937512ab3484c4b2c1996c34844e257ecf61467b82fa34
Instruction ID: abb91111d863b883b5e6167a8c7d294ee9e7a8711c7946e630c8baf24e549afc
Opcode Fuzzy Hash: 1375c7db5386b4528c937512ab3484c4b2c1996c34844e257ecf61467b82fa34
Instruction Fuzzy Hash: BF919D71A00229ABDF24CFA4EC84FEEBBB8EF46714F108559F515AB281D7709951CFA0

Function 00111187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0011125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00111284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0011135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00111430

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b9f3bbe3511b4bfadca675e0b535ff14f0bd4c0f0fb6e914b49b9648485d7926
Instruction ID: 84ca86a40662d509ffc79cd1d7ecb9e43493ea5566e27b36c6aa15b51595e130
Opcode Fuzzy Hash: b9f3bbe3511b4bfadca675e0b535ff14f0bd4c0f0fb6e914b49b9648485d7926
Instruction Fuzzy Hash: C491F471A00219AFDB08DFA4D884BFEB7B5FF45720F214039EA11E7691D774A981CB90

Function 000B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 16890a4848fe064a239f27c38a634e281b55f79eb45ddeefad1b307c9077ac19
Instruction ID: 8b1317f59d515d72fefbae8b89c16491a34cca8517ea8b21dfa00d47add25a09
Opcode Fuzzy Hash: 16890a4848fe064a239f27c38a634e281b55f79eb45ddeefad1b307c9077ac19
Instruction Fuzzy Hash: 7D913771D40219EFCB64CFA9CC84AEEBBB8FF49320F148155E615B7251D374AA81DBA0

Function 00123947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0012396B
CharUpperBuffW.USER32(?,?), ref: 00123A7A
_wcslen.LIBCMT ref: 00123A8A
VariantClear.OLEAUT32(?), ref: 00123C1F

Part of subcall function 00110CDF: VariantInit.OLEAUT32(00000000), ref: 00110D1F
Part of subcall function 00110CDF: VariantCopy.OLEAUT32(?,?), ref: 00110D28
Part of subcall function 00110CDF: VariantClear.OLEAUT32(?), ref: 00110D34

Strings

AUTOIT.ERROR, xrefs: 00123A80, 00123A85
Incorrect Parameter format, xrefs: 001239A6, 00123BA1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 21e2c4a3faaf2bb7277fe1749083ce5adbe06b0eda0f5e47f662ad8d9bb4da58
Instruction ID: 59a8ec17d9cc8061474d031530c53720becf0dc548a53a2606e99a6a1647383d
Opcode Fuzzy Hash: 21e2c4a3faaf2bb7277fe1749083ce5adbe06b0eda0f5e47f662ad8d9bb4da58
Instruction Fuzzy Hash: 4A919C746083119FC704EF64D48096AB7E5FF89314F04892EF89997352DB34EE45CB92

Function 00124BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0010000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?,?,0010035E), ref: 0010002B
Part of subcall function 0010000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100046
Part of subcall function 0010000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100054
Part of subcall function 0010000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?), ref: 00100064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00124C51
_wcslen.LIBCMT ref: 00124D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00124DCF
CoTaskMemFree.OLE32(?), ref: 00124DDA

Strings

NULL Pointer assignment, xrefs: 00124E23, 00124E52

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: fadfc5fd3e1177a58e1727ac76d26180a620e44d9107c0d38a4fee6b9aa7ae2f
Instruction ID: 9ee1603a9d48bb0753b9072f6de187f9f2f12162574cee7216e343e6e89d6579
Opcode Fuzzy Hash: fadfc5fd3e1177a58e1727ac76d26180a620e44d9107c0d38a4fee6b9aa7ae2f
Instruction Fuzzy Hash: D7912771D0022DAFDF14DFA4D890AEEB7B8FF09310F108169E915A7291DB749A54CFA0

Function 001320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00132183
GetMenuItemCount.USER32(00000000), ref: 001321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001321DD
_wcslen.LIBCMT ref: 00132213
GetMenuItemID.USER32(?,?), ref: 0013224D
GetSubMenu.USER32(?,?), ref: 0013225B

Part of subcall function 00103A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00103A57
Part of subcall function 00103A3D: GetCurrentThreadId.KERNEL32 ref: 00103A5E
Part of subcall function 00103A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001025B3), ref: 00103A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001322E3

Part of subcall function 0010E97B: Sleep.KERNEL32 ref: 0010E9F3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: dd85dfaa65722084f86e5b3b48c430ce3cd16a4d9360a1f30b49bf3938885341
Instruction ID: f099cddc142917fbfed44e48f092a1d499f18d8e1a2eb308702fe0f71f33ebbe
Opcode Fuzzy Hash: dd85dfaa65722084f86e5b3b48c430ce3cd16a4d9360a1f30b49bf3938885341
Instruction Fuzzy Hash: BA718D75A00205AFCB14EFA4C845AAEB7F5FF48310F158469E816EB351DB74EE418B90

Function 00137E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C853C8), ref: 00137F37
IsWindowEnabled.USER32(00C853C8), ref: 00137F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0013801E
SendMessageW.USER32(00C853C8,000000B0,?,?), ref: 00138051
IsDlgButtonChecked.USER32(?,?), ref: 00138089
GetWindowLongW.USER32(00C853C8,000000EC), ref: 001380AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001380C3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 6b0f784ed07d04d4da284c5ae3744d498c8a4824fc297cd6d131c1570a6ef8cc
Instruction ID: ec802b994c3a12c5f616ece5b1cfa5c7b1f1860e696f2a029d383fc7a17f2830
Opcode Fuzzy Hash: 6b0f784ed07d04d4da284c5ae3744d498c8a4824fc297cd6d131c1570a6ef8cc
Instruction Fuzzy Hash: 87717FB4608204AFEB359F64C884FFABBB9FF19300F144459F969972A1CB31AC85DB50

Function 0010AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0010AEF9
GetKeyboardState.USER32(?), ref: 0010AF0E
SetKeyboardState.USER32(?), ref: 0010AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0010AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0010AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0010AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0010B020

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9cbafcc4f15ba4772ca8544ca1730164b854419ef84b3545495faf73002f7fc0
Instruction ID: eb6d776ddcd03f4de9feb5f06df21f00b18e355beb927e4e8f01efdd5796771d
Opcode Fuzzy Hash: 9cbafcc4f15ba4772ca8544ca1730164b854419ef84b3545495faf73002f7fc0
Instruction Fuzzy Hash: 485180B1A087D63DFB368334C885BBABEA95F06304F088589F1D9958C2D7D9A8C4D751

Function 0010ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0010AD19
GetKeyboardState.USER32(?), ref: 0010AD2E
SetKeyboardState.USER32(?), ref: 0010AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0010ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0010ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0010AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0010AE38

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: aa73390cac8932640b68a6c7b6c5a351d8352bb42158392496c9b0152d1e1b0d
Instruction ID: 336e44d4e57dc994a8da3e2970df4f312c68c0d16a78e7fabbe771478cda3e51
Opcode Fuzzy Hash: aa73390cac8932640b68a6c7b6c5a351d8352bb42158392496c9b0152d1e1b0d
Instruction Fuzzy Hash: 6151F3B15087D13DFB368374CC95BBABEA86F06300F488489E1D5568C2D3D4EC88D762

Function 000D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(000E3CD6,?,?,?,?,?,?,?,?,000D5BA3,?,?,000E3CD6,?,?), ref: 000D5470
__fassign.LIBCMT ref: 000D54EB
__fassign.LIBCMT ref: 000D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,000E3CD6,00000005,00000000,00000000), ref: 000D552C
WriteFile.KERNEL32(?,000E3CD6,00000000,000D5BA3,00000000,?,?,?,?,?,?,?,?,?,000D5BA3,?), ref: 000D554B
WriteFile.KERNEL32(?,?,00000001,000D5BA3,00000000,?,?,?,?,?,?,?,?,?,000D5BA3,?), ref: 000D5584

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d048560932cbb29697672de5fef358cf40be0e29b8ff3645d299989e30109ad0
Instruction ID: c54b40d9ec2eddcbca718007b77a256d6e02af6e8af1a72eb512127412558157
Opcode Fuzzy Hash: d048560932cbb29697672de5fef358cf40be0e29b8ff3645d299989e30109ad0
Instruction Fuzzy Hash: 1951BF70A00B49AFDB11CFA8EC55AEEBBF9EF08301F14411BE955E7391D6309A81CB61

Function 000C2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 000C2D53
_ValidateLocalCookies.LIBCMT ref: 000C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 000C2E0C
_ValidateLocalCookies.LIBCMT ref: 000C2E61

Strings

csm, xrefs: 000C2DF6

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: fa5ea854798e634da1b4062844b7adc6913a1de2c1733bacae94659ece9eb5ea
Instruction ID: 7524d53ffd84569e9d79ca353dd7d5018eea294389017e9450553585760dc9fd
Opcode Fuzzy Hash: fa5ea854798e634da1b4062844b7adc6913a1de2c1733bacae94659ece9eb5ea
Instruction Fuzzy Hash: 4D41B234A00209ABCF10DF68C885FDEBBF5BF44324F148159E8156B7A2DB31AA05CBD0

Function 001210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0012304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0012307A
Part of subcall function 0012304E: _wcslen.LIBCMT ref: 0012309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00121112
WSAGetLastError.WSOCK32 ref: 00121121
WSAGetLastError.WSOCK32 ref: 001211C9
closesocket.WSOCK32(00000000), ref: 001211F9

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 665a136d6beb175ce5000efa7b33046476c38e5fc6fa294ab1005bbd4cfcfc1b
Instruction ID: 857e6c46d228251ef197bf4714873dc7aec8ea2f45e1ca801e557a64f10c68e5
Opcode Fuzzy Hash: 665a136d6beb175ce5000efa7b33046476c38e5fc6fa294ab1005bbd4cfcfc1b
Instruction Fuzzy Hash: F9411631600214AFDB10DF64D884BAAB7EAFF55364F148059FD19AB292C770EE91CBE1

Function 0010CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0010DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0010CF22,?), ref: 0010DDFD

Part of subcall function 0010DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0010CF22,?), ref: 0010DE16

lstrcmpiW.KERNEL32(?,?), ref: 0010CF45
MoveFileW.KERNEL32(?,?), ref: 0010CF7F
_wcslen.LIBCMT ref: 0010D005
_wcslen.LIBCMT ref: 0010D01B
SHFileOperationW.SHELL32(?), ref: 0010D061

Strings

\*.*, xrefs: 0010CFF3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 7c186f1af297290c8395119b36fc2454f9bf41ac58f505b8db0c0ba199186365
Instruction ID: 890c3c0a4cbc3eb64f159e72fada1a198288f1698225d041d87c234f9047b07a
Opcode Fuzzy Hash: 7c186f1af297290c8395119b36fc2454f9bf41ac58f505b8db0c0ba199186365
Instruction Fuzzy Hash: A04167B19052195FDF12EFA4D981EDEB7F9AF18380F1000E6E545EB182EB74AA84CF51

Function 00132DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00132E1C
GetWindowLongW.USER32(?,000000F0), ref: 00132E4F
GetWindowLongW.USER32(?,000000F0), ref: 00132E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00132EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00132EE0
GetWindowLongW.USER32(?,000000F0), ref: 00132EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00132F0B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4447101e78b28c54c8cac4445317bb9121215b16c786d96cc2656778483d7ce3
Instruction ID: 57374e3564a49c32f5a10a15710b0d5cd98b81360d676898151f95e4e0086f24
Opcode Fuzzy Hash: 4447101e78b28c54c8cac4445317bb9121215b16c786d96cc2656778483d7ce3
Instruction Fuzzy Hash: FC313531604250AFEB20EF18DC86FA537E4FB9AB20F150164FA049F2B1CB71AC80DB40

Function 00107726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00107769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010778F
SysAllocString.OLEAUT32(00000000), ref: 00107792
SysAllocString.OLEAUT32(?), ref: 001077B0
SysFreeString.OLEAUT32(?), ref: 001077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001077DE
SysAllocString.OLEAUT32(?), ref: 001077EC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a31813532b18ac2f4a10b9241fe651f5ca1baa0ad29e1b19649b41b33753cfa8
Instruction ID: 844b41b988ffb20f828eedcf07b16f4e02ce119bc518b51c9a76f0986f7f422b
Opcode Fuzzy Hash: a31813532b18ac2f4a10b9241fe651f5ca1baa0ad29e1b19649b41b33753cfa8
Instruction Fuzzy Hash: 43219276A04219AFDB10DFA8CC88CBB77ACEB097A47048425FA55DB1D1D7B0ED8187A0

Function 001077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00107842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00107868
SysAllocString.OLEAUT32(00000000), ref: 0010786B
SysAllocString.OLEAUT32 ref: 0010788C
SysFreeString.OLEAUT32 ref: 00107895
StringFromGUID2.OLE32(?,?,00000028), ref: 001078AF
SysAllocString.OLEAUT32(?), ref: 001078BD

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5c99746c98ff58dd89fc64b9eea3d7943502b70f01683911a5ddee807bd1adb1
Instruction ID: dce2a4945f1a380e41329b62b233cda3c5f3154d02913af64c69c1ca8ae9f7c5
Opcode Fuzzy Hash: 5c99746c98ff58dd89fc64b9eea3d7943502b70f01683911a5ddee807bd1adb1
Instruction Fuzzy Hash: 14216531A04104AFDB109FA8DC88DBA77ACEB097607108126F955DB1E1D7B4EC41CB64

Function 001104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0011052E

Strings

nul, xrefs: 00110567

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3950a5eb73d988cd112b4de4c36dd9fe19af5f4523c4b86cd7d105caa8ae79cb
Instruction ID: 30e9e88cf8a1586961a53446449cd32cc76c13efc7e3fb8cb09deb82615d5c07
Opcode Fuzzy Hash: 3950a5eb73d988cd112b4de4c36dd9fe19af5f4523c4b86cd7d105caa8ae79cb
Instruction Fuzzy Hash: D1218071900305EFDB259F29DC44ADA77A5BF49764F204A29F8A1E72E0E7B099D0CF60

Function 001105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00110601

Strings

nul, xrefs: 00110639

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3993b71fb632d34cc0e2ebc3f76cee48a4d9ebe8206b673cc6d6541e4a0e2788
Instruction ID: a9973082e7ef48236c783a56ce771e5d7d3a5c58625bf3ed306a8899b235883d
Opcode Fuzzy Hash: 3993b71fb632d34cc0e2ebc3f76cee48a4d9ebe8206b673cc6d6541e4a0e2788
Instruction Fuzzy Hash: 302183759003059FDB259F698C04ADA77E4BF99730F204A29F8A1E72D0D7F098E0CB50

Function 001340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000A604C
Part of subcall function 000A600E: GetStockObject.GDI32(00000011), ref: 000A6060
Part of subcall function 000A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00134112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0013411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0013412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00134139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00134145

Strings

Msctls_Progress32, xrefs: 001340E3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e5cb032d835c7451d461005ea37c004144606794635d1fce9b3a7d1ab27491bb
Instruction ID: 39c0b3cde870d6007825d5f8bdb6f6be1ea6c57808ac504d6900f4f916bd8f02
Opcode Fuzzy Hash: e5cb032d835c7451d461005ea37c004144606794635d1fce9b3a7d1ab27491bb
Instruction Fuzzy Hash: D711B2B2140219BFEF119F64CC86EE77F6DEF08798F014111FA18A2190CB72AC61DBA4

Function 000DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000DD7A3: _free.LIBCMT ref: 000DD7CC

_free.LIBCMT ref: 000DD82D

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000DD838
_free.LIBCMT ref: 000DD843
_free.LIBCMT ref: 000DD897
_free.LIBCMT ref: 000DD8A2
_free.LIBCMT ref: 000DD8AD
_free.LIBCMT ref: 000DD8B8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ff497e5dc120d57a1c9c5c9f6fea1a1addca213f395938c6af0c32dc7486b923
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: EE115B71984B04AADA21BFB0CC47FCFBBDCAF10700F400827B29DA6293EA65B5059670

Function 0010DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0010DA74
LoadStringW.USER32(00000000), ref: 0010DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0010DA91
LoadStringW.USER32(00000000), ref: 0010DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0010DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0010DAB9

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 079687a7557cf7efaa97509eabb9540bd1da3fbf496173229b92ca3842308344
Instruction ID: 5270f899f212136aeea65445d39e392ab8c613aa53dee4c6550a2f443a6bbcfa
Opcode Fuzzy Hash: 079687a7557cf7efaa97509eabb9540bd1da3fbf496173229b92ca3842308344
Instruction Fuzzy Hash: 720112F6500218BFE711ABA4DD89EE7766CE708701F404495F746F2081EBB49E848FB5

Function 0011096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C7EBE0,00C7EBE0), ref: 0011097B
EnterCriticalSection.KERNEL32(00C7EBC0,00000000), ref: 0011098D
TerminateThread.KERNEL32(?,000001F6), ref: 0011099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001109A9
CloseHandle.KERNEL32(?), ref: 001109B8
InterlockedExchange.KERNEL32(00C7EBE0,000001F6), ref: 001109C8
LeaveCriticalSection.KERNEL32(00C7EBC0), ref: 001109CF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3012d9970e306423e1997899c2f8bcec2b2e84270a9fb72ff30772a090466090
Instruction ID: 354e5c3af01cff2556615bd0ec445aeeec759dd2d6e01a004329729766a851e5
Opcode Fuzzy Hash: 3012d9970e306423e1997899c2f8bcec2b2e84270a9fb72ff30772a090466090
Instruction Fuzzy Hash: A8F0C932442A12ABD7565BA4EE89ADABA29BF05716F402025F202A0CA1C7B594F5CFD0

Function 00121C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00121DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00121DE1
WSAGetLastError.WSOCK32 ref: 00121DF2
htons.WSOCK32(?,?,?,?,?), ref: 00121EDB
inet_ntoa.WSOCK32(?), ref: 00121E8C

Part of subcall function 001039E8: _strlen.LIBCMT ref: 001039F2

Part of subcall function 00123224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0011EC0C), ref: 00123240

_strlen.LIBCMT ref: 00121F35

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 48d77f2fa94099feae5f47fc5e8266e57f2659008dbe901c4034b5e388a27d7b
Instruction ID: 8f7e0b461d747563d87a8d9ad76ea986da28c6bc529b4b3e1d8805cb42cadd8d
Opcode Fuzzy Hash: 48d77f2fa94099feae5f47fc5e8266e57f2659008dbe901c4034b5e388a27d7b
Instruction Fuzzy Hash: A7B11031604310AFC324DF64D885E6A7BE5AF95318F58894CF46A5B2E3CB31EE46CB91

Function 000A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 000A5D30
GetWindowRect.USER32(?,?), ref: 000A5D71
ScreenToClient.USER32(?,?), ref: 000A5D99
GetClientRect.USER32(?,?), ref: 000A5ED7
GetWindowRect.USER32(?,?), ref: 000A5EF8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7659d9003681c84d585b17bd252ee68887940ca7fd82e272f938ac491c5756f6
Instruction ID: b23fb81f24c4dbf10c95255fa1a3017ec7deab91fa4264c8e6c2616ea20651ad
Opcode Fuzzy Hash: 7659d9003681c84d585b17bd252ee68887940ca7fd82e272f938ac491c5756f6
Instruction Fuzzy Hash: E0B18C74A0068ADFDB24CFA9C9407EEB7F1FF58311F14841AE8A9E7250DB30AA40CB50

Function 000D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D00D6
__allrem.LIBCMT ref: 000D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D010B
__allrem.LIBCMT ref: 000D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D0140

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: bf9cc5e3d399e1778035f576113a42683cdcd16fa782310f1107f538d7f6f42b
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 9D81E276A00706ABE724AB69CC41BAE73E9EF41364F25413FF415D7382E770D9018BA1

Function 000D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000C82D9,000C82D9,?,?,?,000D644F,00000001,00000001,8BE85006), ref: 000D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000D644F,00000001,00000001,8BE85006,?,?,?), ref: 000D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000D63D8
__freea.LIBCMT ref: 000D63E5

Part of subcall function 000D3820: RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

__freea.LIBCMT ref: 000D63EE
__freea.LIBCMT ref: 000D6413

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2e5567cecdca986e9a58bb65653cd8cdefd8c6a6a0a19ab459ef9669b342b14a
Instruction ID: 654851d1ec5bd3c3538849037f8ef52559a39edf0a83952cee85d274b71cdc69
Opcode Fuzzy Hash: 2e5567cecdca986e9a58bb65653cd8cdefd8c6a6a0a19ab459ef9669b342b14a
Instruction Fuzzy Hash: 0751E172A00316ABEB258F64CC81EBF7BA9EB44750F15422AFC05D6242DB36DD40D6B0

Function 0012BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 0012C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012C9F1
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA68
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0012BD25
RegCloseKey.ADVAPI32(00000000), ref: 0012BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0012BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0012BDF3
RegCloseKey.ADVAPI32(?), ref: 0012BDFF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 54a8d5aa406df49b031012669c6a2837b5348a1efc918384e775d922f337fd6f
Instruction ID: 98f11de185fd7f6998e1937ff23e76f76155acdc63e6169c2aeefbcdf6819e62
Opcode Fuzzy Hash: 54a8d5aa406df49b031012669c6a2837b5348a1efc918384e775d922f337fd6f
Instruction Fuzzy Hash: 8A81AC30208241AFC714DF64D8C1EAABBE5FF85308F14896CF5598B2A2DB31ED55CB92

Function 000FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 000FF7B9
SysAllocString.OLEAUT32(00000001), ref: 000FF860
VariantCopy.OLEAUT32(000FFA64,00000000), ref: 000FF889
VariantClear.OLEAUT32(000FFA64), ref: 000FF8AD
VariantCopy.OLEAUT32(000FFA64,00000000), ref: 000FF8B1
VariantClear.OLEAUT32(?), ref: 000FF8BB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 1569a686ec87b8ab2eb697ba53859e6cf55d3f3c6b5c5569ebd035c2c6fb67f6
Instruction ID: 45dda42e922c482ca00b24909b6c8969cbe7660f3ee57aa13f6551bb079ab3d0
Opcode Fuzzy Hash: 1569a686ec87b8ab2eb697ba53859e6cf55d3f3c6b5c5569ebd035c2c6fb67f6
Instruction Fuzzy Hash: 0351253160431ABACF20AB65C895B7DB3E8EF45310F208467EA01DF693DBB48C40E796

Function 0011910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 000A7620: _wcslen.LIBCMT ref: 000A7625

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001194E5
_wcslen.LIBCMT ref: 00119506
_wcslen.LIBCMT ref: 0011952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00119585

Strings

X, xrefs: 00119412

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 8523a02e4c2f86064ee6832096d0f969f02c4416a4a564730a55aacf542639c2
Instruction ID: b0f405865d739efc98b3f3af6a964df03d86e17c27fb7a5719e8c31ea264815f
Opcode Fuzzy Hash: 8523a02e4c2f86064ee6832096d0f969f02c4416a4a564730a55aacf542639c2
Instruction Fuzzy Hash: 82E1A331A083508FC718DF64C891BAEB7E5BF85314F04896DF8999B2A2DB31DD45CB92

Function 000B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

BeginPaint.USER32(?,?,?), ref: 000B9241
GetWindowRect.USER32(?,?), ref: 000B92A5
ScreenToClient.USER32(?,?), ref: 000B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B92D3
EndPaint.USER32(?,?,?,?,?), ref: 000B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000F71EA

Part of subcall function 000B9339: BeginPath.GDI32(00000000), ref: 000B9357

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 88ae1c66a3c982c53be121142753632e844453b0af5c6d388555c2bcd55b8791
Instruction ID: 9802deea415fa8635b1d6b1aeef3df2d8723744d6f356043848d2b2709415b94
Opcode Fuzzy Hash: 88ae1c66a3c982c53be121142753632e844453b0af5c6d388555c2bcd55b8791
Instruction Fuzzy Hash: 0D41AD71104300AFD721DF28CC85FFA7BF8EB55724F140629FA98976A2C7319885EB62

Function 001107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0011080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00110847
EnterCriticalSection.KERNEL32(?), ref: 00110863
LeaveCriticalSection.KERNEL32(?), ref: 001108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00110921

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b34dfa3df9dde138938129e20cbe43d99b25f12d3e8296d0250488069355bdb8
Instruction ID: 5cc8a5231ba466b7c8e8c3829609cac5fce895c53c66b02380e782105a65288a
Opcode Fuzzy Hash: b34dfa3df9dde138938129e20cbe43d99b25f12d3e8296d0250488069355bdb8
Instruction Fuzzy Hash: 2F414A71900205EBDF15AF64DC85AAA77B9FF08310F1440B9ED04AB297DB70DEA5DBA0

Function 001381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000FF3AB,00000000,?,?,00000000,?,000F682C,00000004,00000000,00000000), ref: 0013824C
EnableWindow.USER32(?,00000000), ref: 00138272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001382D1
ShowWindow.USER32(?,00000004), ref: 001382E5
EnableWindow.USER32(?,00000001), ref: 0013830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0013832F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4c6897fad8330f46b36749e289e5b5303dbaa08b5b4ae7278c4ec34693ac9ad5
Instruction ID: 4ee7e2536f1122220261c1e225b12f9f74cadba9cdc83e1ff37b872b8b77fb1f
Opcode Fuzzy Hash: 4c6897fad8330f46b36749e289e5b5303dbaa08b5b4ae7278c4ec34693ac9ad5
Instruction Fuzzy Hash: F8418334601744AFDB25DF19CC99BE57BF1FB0A714F1851A9FA085B6A2CB31A882CB50

Function 00104C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00104C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00104CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00104CEA
_wcslen.LIBCMT ref: 00104D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00104D10
_wcsstr.LIBVCRUNTIME ref: 00104D1A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: f37f638d1df6c3bbb5712336c4dde2e43d9c94ecb92182b0650fee616163d818
Instruction ID: 296b940e877223056ab4c8b0ae32cedc2f3d7afeda46717ca634844dca76ac6a
Opcode Fuzzy Hash: f37f638d1df6c3bbb5712336c4dde2e43d9c94ecb92182b0650fee616163d818
Instruction Fuzzy Hash: 0C2104B2204200BBEB155B79AC8AEBB7B9CDF55750F108029F905DA192EBB1CC4087A0

Function 0011581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 000A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A3A97,?,?,000A2E7F,?,?,?,00000000), ref: 000A3AC2

_wcslen.LIBCMT ref: 0011587B
CoInitialize.OLE32(00000000), ref: 00115995
CoCreateInstance.OLE32(0013FCF8,00000000,00000001,0013FB68,?), ref: 001159AE
CoUninitialize.OLE32 ref: 001159CC

Strings

.lnk, xrefs: 00115876, 001158C1, 00115985

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a7ad1ce9711bd7582825ca8d7cf62eaa128a72db9fa8e4ec38e755eeefd42a5a
Instruction ID: 9d7268ed3217d721f9dfc68e79c33a2a03a84085a9e742360c456e0730ef4c27
Opcode Fuzzy Hash: a7ad1ce9711bd7582825ca8d7cf62eaa128a72db9fa8e4ec38e755eeefd42a5a
Instruction Fuzzy Hash: C3D15771608605DFC718DF24C480AAAB7E2EF89714F14896DF8899B362D731ED85CB92

Function 0010175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00100FCA
Part of subcall function 00100FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00100FD6
Part of subcall function 00100FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00100FE5
Part of subcall function 00100FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00100FEC
Part of subcall function 00100FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00101002

GetLengthSid.ADVAPI32(?,00000000,00101335), ref: 001017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001017BA
HeapAlloc.KERNEL32(00000000), ref: 001017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001017DA
GetProcessHeap.KERNEL32(00000000,00000000,00101335), ref: 001017EE
HeapFree.KERNEL32(00000000), ref: 001017F5

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7f573c9c80b5fcc20e9f9e72a9d66a890b31f77e7ad871214d3a0353cc6cee03
Instruction ID: 6f882e04e918171b8eaab32394b3170661140e412846c4d3d6a97088a7743f06
Opcode Fuzzy Hash: 7f573c9c80b5fcc20e9f9e72a9d66a890b31f77e7ad871214d3a0353cc6cee03
Instruction Fuzzy Hash: C2119D32600205FFDB149FA4CC49BAF7BF9EF4A355F104018F481A7290D7BAA984DBA0

Function 001014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00101506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00101515
CloseHandle.KERNEL32(00000004), ref: 00101520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0010154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00101563

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 89d37a479b8d8ecba7900f5edb6dbed8e99382ce90f8de055ac2a7f26b19bcc9
Instruction ID: 618ed3cf6e54419b8a9d7d5aa26668eb404759762b864be349442730d89f1d1c
Opcode Fuzzy Hash: 89d37a479b8d8ecba7900f5edb6dbed8e99382ce90f8de055ac2a7f26b19bcc9
Instruction Fuzzy Hash: B4112972504249BBDF118F98DD49BDE7BA9EF49754F044015FA45A20A0C3B58EA4DBA0

Function 000C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000C3379,000C2FE5), ref: 000C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000C33B7
SetLastError.KERNEL32(00000000,?,000C3379,000C2FE5), ref: 000C3409

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6a15710d5a9fa0f07cdc88e17aa5717ed4fe4f9d92388266ee519bfcfc2336bf
Instruction ID: a280d4b6dd4c8f4d9e8e3cf688131dfdd108841c1b7dd34e24c75ccef36d6c96
Opcode Fuzzy Hash: 6a15710d5a9fa0f07cdc88e17aa5717ed4fe4f9d92388266ee519bfcfc2336bf
Instruction Fuzzy Hash: FD012F3262C311BFEA2827B47C95FAE2A94EB05379320C22EF510912F2EF514E4262C4

Function 000D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000D5686,000E3CD6,?,00000000,?,000D5B6A,?,?,?,?,?,000CE6D1,?,00168A48), ref: 000D2D78
_free.LIBCMT ref: 000D2DAB
_free.LIBCMT ref: 000D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,000CE6D1,?,00168A48,00000010,000A4F4A,?,?,00000000,000E3CD6), ref: 000D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,000CE6D1,?,00168A48,00000010,000A4F4A,?,?,00000000,000E3CD6), ref: 000D2DEC
_abort.LIBCMT ref: 000D2DF2

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2b9229969176cdfd6ba38f418865fd69670c49d1d66799052923bcef378f2d8c
Instruction ID: d6e20daeb626f5e13a6c10b450e65cc2567cac91208a51b5073cca40774ad716
Opcode Fuzzy Hash: 2b9229969176cdfd6ba38f418865fd69670c49d1d66799052923bcef378f2d8c
Instruction Fuzzy Hash: 88F0C8319057006BC2622734BC0AEAF35ABBFE27B1F25441BF864A27D3EF64884152B1

Function 00138A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B9693
Part of subcall function 000B9639: SelectObject.GDI32(?,00000000), ref: 000B96A2
Part of subcall function 000B9639: BeginPath.GDI32(?), ref: 000B96B9
Part of subcall function 000B9639: SelectObject.GDI32(?,00000000), ref: 000B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00138A4E
LineTo.GDI32(?,00000003,00000000), ref: 00138A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00138A70
LineTo.GDI32(?,00000000,00000003), ref: 00138A80
EndPath.GDI32(?), ref: 00138A90
StrokePath.GDI32(?), ref: 00138AA0

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4246721e0d4de0d03be92d0cf9b3e2f0cb0dda8db7af18838a40c331deb07ca5
Instruction ID: 617786810c9386c7556551a40fc697743c285c4fd829e78e969ec07dd2997762
Opcode Fuzzy Hash: 4246721e0d4de0d03be92d0cf9b3e2f0cb0dda8db7af18838a40c331deb07ca5
Instruction Fuzzy Hash: 0E11DB7600014DFFEF129F94DC88EEA7F6DEB08354F048012BA19AA5A1C7719D95DFA0

Function 001051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00105218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00105229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00105230
ReleaseDC.USER32(00000000,00000000), ref: 00105238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0010524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00105261

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 750bf55caa933937cb2e57fb6b8e66c683c50f57b91a71bb87504475e768bc0d
Instruction ID: 50afc5fcb719ff7f0208dffc5f0d7fbf7ab21b04c682a8615418da0fea7aa637
Opcode Fuzzy Hash: 750bf55caa933937cb2e57fb6b8e66c683c50f57b91a71bb87504475e768bc0d
Instruction Fuzzy Hash: 7A014FB5A00719BBEB109BA59C49A5EBFB9EF48751F044065FA04E7691D6709800CFA0

Function 000A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 000A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 000A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 000A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 000A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 000A1C22

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 921228c29b63bc8066a8b7144e9ee08dc69e6617400fe871eb80ff42906d182d
Instruction ID: 06d559e7afbf1c03411da5390940455eb0a82726e9ead62deb69cdac5917e18c
Opcode Fuzzy Hash: 921228c29b63bc8066a8b7144e9ee08dc69e6617400fe871eb80ff42906d182d
Instruction Fuzzy Hash: 68016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 0010EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0010EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0010EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0010EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010EB75

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 68369bb8925a8da8db2f0dbd8b94040c242255dfe51e58de995fa4dad9d6399c
Instruction ID: ea8ab8a9e888df94ccad58ce09f0923a826af308d5ea5e019d82b9ca694a764b
Opcode Fuzzy Hash: 68369bb8925a8da8db2f0dbd8b94040c242255dfe51e58de995fa4dad9d6399c
Instruction Fuzzy Hash: F2F03AB2240158BBE7215B629C0EEEF3A7CEFCAB11F004158F601E1591E7A05A41DBF5

Function 000F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 000F7469
GetWindowDC.USER32(?), ref: 000F7475
GetPixel.GDI32(00000000,?,?), ref: 000F7484
ReleaseDC.USER32(?,00000000), ref: 000F7496
GetSysColor.USER32(00000005), ref: 000F74B0

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9a4bf46e611aa826ee000aebe1a666c1c4e751fd90996f32fa6fbe759ba6ec8e
Instruction ID: 8c97e4f424b5bafe745e635802457b28e13ac58f560c71a335321fa55e6a669f
Opcode Fuzzy Hash: 9a4bf46e611aa826ee000aebe1a666c1c4e751fd90996f32fa6fbe759ba6ec8e
Instruction Fuzzy Hash: 34014B31500619EFEB515F64DC09BEEBBB6FB04321F510164FA19B29A1CB312E91AB91

Function 00101874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0010187F
UnloadUserProfile.USERENV(?,?), ref: 0010188B
CloseHandle.KERNEL32(?), ref: 00101894
CloseHandle.KERNEL32(?), ref: 0010189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001018A5
HeapFree.KERNEL32(00000000), ref: 001018AC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fab14bd59d2eab897d88de69e60e6653bc33988bc0ee4df3b6415228edcd337f
Instruction ID: fd3ab29dfaf3868e140389887f34411bdedd6b6f33f5e7ce3e578d010fab3803
Opcode Fuzzy Hash: fab14bd59d2eab897d88de69e60e6653bc33988bc0ee4df3b6415228edcd337f
Instruction Fuzzy Hash: C6E0E536004101FBDB015FA1ED0C90ABF39FF49B22B108220F225A1870CB3294B0EF90

Function 0010C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A7620: _wcslen.LIBCMT ref: 000A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0010C6EE
_wcslen.LIBCMT ref: 0010C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0010C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0010C7CA

Strings

0, xrefs: 0010C6AF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: d10013ca3d3b5eb739df85d4f50a89c4cc1ef047502d2a0c7c9a1d2cc015b754
Instruction ID: c6284c73c2d1dda3b2d42dcf177964ca89b7b1413e8992450b90c71bded12715
Opcode Fuzzy Hash: d10013ca3d3b5eb739df85d4f50a89c4cc1ef047502d2a0c7c9a1d2cc015b754
Instruction Fuzzy Hash: 4A51AE726043019BD725AF28C885BAB77E8AB49314F044B29F9D5E32E1DBB0D9448F92

Function 0012AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0012AEA3

Part of subcall function 000A7620: _wcslen.LIBCMT ref: 000A7625

GetProcessId.KERNEL32(00000000), ref: 0012AF38
CloseHandle.KERNEL32(00000000), ref: 0012AF67

Strings

<, xrefs: 0012AE6B
@, xrefs: 0012AE72

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 07c2d79d34bda89e0eb98835ee6747a298802d7138e2c473fdf6ab36b5d50732
Instruction ID: 0c238182bb5253496f389846cccf31163ab3761c12821fd247bf61fd57c711c6
Opcode Fuzzy Hash: 07c2d79d34bda89e0eb98835ee6747a298802d7138e2c473fdf6ab36b5d50732
Instruction Fuzzy Hash: 6571AF71A00629DFCB14EFA4D484A9EBBF0FF09310F458499E81AAB352CB74ED55CB91

Function 0010719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00107206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0010723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0010724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001072CF

Strings

DllGetClassObject, xrefs: 00107242

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5a5e0eec5288e6ae0d3161d312ec39fa57ac72557553104d0cdceff7bade6f6e
Instruction ID: c73ac3b9e721df5b642b12cf81a4c2f7268b0dc41098ab175c9375be969fd177
Opcode Fuzzy Hash: 5a5e0eec5288e6ae0d3161d312ec39fa57ac72557553104d0cdceff7bade6f6e
Instruction Fuzzy Hash: DA417EB1A04204EFDB15DF94C884A9A7BA9EF44310F1580ADBD059F28AD7F0ED45DBA0

Function 00133D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00133E35
IsMenu.USER32(?), ref: 00133E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00133E92
DrawMenuBar.USER32 ref: 00133EA5

Strings

0, xrefs: 00133D89

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5f8efde2cc117dbb3640e58db7731c6bf38d662576a2719475bdcb1189b61aae
Instruction ID: 318655f8bc42ec13aeb93808d79c95858f3584f17184ebebf4e13d89da9fee2e
Opcode Fuzzy Hash: 5f8efde2cc117dbb3640e58db7731c6bf38d662576a2719475bdcb1189b61aae
Instruction Fuzzy Hash: BC414775A00209EFEB10DF64D884EEABBB9FF49354F044129E925A7250D730AE85CFA4

Function 00101DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 00103CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00103CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00101E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00101E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00101EA9

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Strings

ListBox, xrefs: 00101E25
ComboBox, xrefs: 00101DF0

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0262e879d0cf8b4ea3550ac1f8d80a8471c781c0f0eb443298e94908e7443e68
Instruction ID: a268f4b9d337a3383e5203f9f6f40e4d94703c9f746b5cd796e16f289e09872f
Opcode Fuzzy Hash: 0262e879d0cf8b4ea3550ac1f8d80a8471c781c0f0eb443298e94908e7443e68
Instruction Fuzzy Hash: A9213B71A00104BFDB15ABA4DC46CFFB7B9DF46350F144119F865A71E1DF7849468720

Function 00132F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00132F8D
LoadLibraryW.KERNEL32(?), ref: 00132F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00132FA9
DestroyWindow.USER32(?), ref: 00132FB1

Strings

SysAnimate32, xrefs: 00132F68

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: b8876f7347c4e683ef0de4c02ba66ecd0a96a3f82f842a4b5dd3ddf0b441f2bb
Instruction ID: 1541743ff98b20010cefe488310cfba989025e43ae95fb8c3c027bb94987ffd4
Opcode Fuzzy Hash: b8876f7347c4e683ef0de4c02ba66ecd0a96a3f82f842a4b5dd3ddf0b441f2bb
Instruction Fuzzy Hash: 78218C72204205ABEF106FA4DC81EBB77BDEB59364F104618FA50E6190D771DC919760

Function 000C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000C4D1E,000D28E9,?,000C4CBE,000D28E9,001688B8,0000000C,000C4E15,000D28E9,00000002), ref: 000C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,000C4D1E,000D28E9,?,000C4CBE,000D28E9,001688B8,0000000C,000C4E15,000D28E9,00000002,00000000), ref: 000C4DC3

Strings

mscoree.dll, xrefs: 000C4D86
CorExitProcess, xrefs: 000C4D98

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 155e69ecd2044cc7e2c735404ef49cb2ff8d4346167a5d26b827d4e46b39ea54
Instruction ID: 34c7275dbba8e4e30f756014ecb4db237232e632bc8cc06b3889832cd6132da9
Opcode Fuzzy Hash: 155e69ecd2044cc7e2c735404ef49cb2ff8d4346167a5d26b827d4e46b39ea54
Instruction Fuzzy Hash: A4F04F35A40208FBDB119F95DC59FEDBBF5EF44752F0001A8F906A2660CB705A80DBD1

Function 000A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000A4EDD,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000A4EAE
FreeLibrary.KERNEL32(00000000,?,?,000A4EDD,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 000A4EA8
kernel32.dll, xrefs: 000A4E94

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 9765d9e8d51f790da326f224f41c3664c99117c83efd0154cd4ffb4bdb66b643
Instruction ID: df9347e80958e4f8dd0967c14b541b50a954b556c1381ab4c9268d497b144733
Opcode Fuzzy Hash: 9765d9e8d51f790da326f224f41c3664c99117c83efd0154cd4ffb4bdb66b643
Instruction Fuzzy Hash: 7EE0CD3AA015229BD27157657C18B5F75D4AFC3F63B050115FC05F3100DBE0CD4156E0

Function 000A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000E3CDE,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000A4E74
FreeLibrary.KERNEL32(00000000,?,?,000E3CDE,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E87

Strings

kernel32.dll, xrefs: 000A4E5B
Wow64RevertWow64FsRedirection, xrefs: 000A4E6E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d3ffbee8ce00b3faad483de5abe0f2e015be3f8a696d7df52bf19c6e4a2c47ae
Instruction ID: 1ff0ee0708631de96bbfa09111e93bbff50d9055da7c6113f7b44ddf6fc6ffd5
Opcode Fuzzy Hash: d3ffbee8ce00b3faad483de5abe0f2e015be3f8a696d7df52bf19c6e4a2c47ae
Instruction Fuzzy Hash: CCD0123A50262197D6625B657C18DCB6A98AFC7B513050515B905F2154CFA0CD4196D0

Function 00112947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00112C05
DeleteFileW.KERNEL32(?), ref: 00112C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00112C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00112CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00112CC0

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 1917e73ea39a3a0b92fc9b63c8942f0d9ea480d561112ca1ecadfa8cf8df88fc
Instruction ID: d7777e20d458418f61eaf2dfeb0a01c2721d3bcbb97a6b1826b5bd339c21fc92
Opcode Fuzzy Hash: 1917e73ea39a3a0b92fc9b63c8942f0d9ea480d561112ca1ecadfa8cf8df88fc
Instruction Fuzzy Hash: 5DB16E71900119ABDF25DBA4CC85EDEB7BDEF59350F1040B6F609E7142EB309A948FA1

Function 0012A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0012A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0012A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0012A468
CloseHandle.KERNEL32(?), ref: 0012A63D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 65eef2cabd29932787f3af8269f9f07052d58048b24bd597cef8e0dc707fd807
Instruction ID: d37109ebfc311f2feb1d32264b7b82e1bcc74956e7ae60367798f040b256c487
Opcode Fuzzy Hash: 65eef2cabd29932787f3af8269f9f07052d58048b24bd597cef8e0dc707fd807
Instruction Fuzzy Hash: 00A1AF71604301AFE720DF24D886F6AB7E5AF84714F54881DF99A9B293D7B0EC41CB92

Function 000DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00143700), ref: 000DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0017121C,000000FF,00000000,0000003F,00000000,?,?), ref: 000DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00171270,000000FF,?,0000003F,00000000,?), ref: 000DBC36
_free.LIBCMT ref: 000DBB7F

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000DBD4B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 6d408a406bc9bc17d1ba31d251586f40f1796214632b371cbdb964ca3dc5a912
Instruction ID: c9851c540b33bcb3c62df6c4dcaf60fd14750d19cfb6df51651dba357a486265
Opcode Fuzzy Hash: 6d408a406bc9bc17d1ba31d251586f40f1796214632b371cbdb964ca3dc5a912
Instruction Fuzzy Hash: 67519871900309EFC720DF699C419AEB7F8FF44350B21426BE554E7392EB709E819BA0

Function 0010E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0010DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0010CF22,?), ref: 0010DDFD

Part of subcall function 0010DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0010CF22,?), ref: 0010DE16

Part of subcall function 0010E199: GetFileAttributesW.KERNEL32(?,0010CF95), ref: 0010E19A

lstrcmpiW.KERNEL32(?,?), ref: 0010E473
MoveFileW.KERNEL32(?,?), ref: 0010E4AC
_wcslen.LIBCMT ref: 0010E5EB
_wcslen.LIBCMT ref: 0010E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0010E650

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 925bef974897ef29b38dbb16559148e8101a000e119ee8c79356e709184d78d7
Instruction ID: d8bc7c4342e8b072cded9d65475755aed2ac802b47a1e1af6f65ac028bd7e559
Opcode Fuzzy Hash: 925bef974897ef29b38dbb16559148e8101a000e119ee8c79356e709184d78d7
Instruction Fuzzy Hash: EA5150B25083455BC724EB90DC81ADFB3ECAF95340F00492EF5C9D3192EFB5A6888766

Function 0012B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 0012C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012C9F1
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA68
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0012BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0012BB63
RegCloseKey.ADVAPI32(?,?), ref: 0012BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0012BBB3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 3bdf3d89cd57d0087117ba79263e34b9ec94752e731cce5aa0ad3fc9614a4bd5
Instruction ID: 77f046b556bbc9f5ba5a1b7646b24d75f6ad84bf81157c70b126b566cc7a8d6d
Opcode Fuzzy Hash: 3bdf3d89cd57d0087117ba79263e34b9ec94752e731cce5aa0ad3fc9614a4bd5
Instruction Fuzzy Hash: 1461C031208241AFC714DF64D8D0E6ABBE5FF85308F54896CF4998B2A2DB31ED45CB92

Function 00108BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00108BCD
VariantClear.OLEAUT32 ref: 00108C3E
VariantClear.OLEAUT32 ref: 00108C9D
VariantClear.OLEAUT32(?), ref: 00108D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00108D3B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: fc00232cdadf8b89c3e89fe8e1dd24decb7129e111527cdcca4e67b0daef05e1
Instruction ID: f5d0059275d8c2c8e976910a9aabaa2e2a3bdc5f2119e250a4842dc4c1feb545
Opcode Fuzzy Hash: fc00232cdadf8b89c3e89fe8e1dd24decb7129e111527cdcca4e67b0daef05e1
Instruction Fuzzy Hash: 46517BB5A00219EFCB14CF68C894AAAB7F8FF89310B158559F985EB350E770E911CF90

Function 00118AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00118BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00118BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00118C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00118C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00118C5F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e075794691e2f3444159a7d88f51b8f93dfc73a14fb3ccd4025dd2d5d73e99da
Instruction ID: 5a1500254b7b0b5f2cd9fc3f2fd8899d1842f9f9921f0663167c25693f28ebd8
Opcode Fuzzy Hash: e075794691e2f3444159a7d88f51b8f93dfc73a14fb3ccd4025dd2d5d73e99da
Instruction Fuzzy Hash: DD512935A006159FCB05DFA4C881AAEBBF5FF49354F08C468E849AB362DB35ED51CB90

Function 00128EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00128F40
GetProcAddress.KERNEL32(00000000,?), ref: 00128FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00128FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00129032
FreeLibrary.KERNEL32(00000000), ref: 00129052

Part of subcall function 000BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00111043,?,7644E610), ref: 000BF6E6
Part of subcall function 000BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000FFA64,00000000,00000000,?,?,00111043,?,7644E610,?,000FFA64), ref: 000BF70D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 9900502389fad0de2b67bc230a9220f0bfbb584e2d642e1d3e9fd551cda90204
Instruction ID: 2d0eb5079be0129201bd899d19a721c6b4731e821f96638848308349f801264d
Opcode Fuzzy Hash: 9900502389fad0de2b67bc230a9220f0bfbb584e2d642e1d3e9fd551cda90204
Instruction Fuzzy Hash: 49514834A01215DFC704DF68D4949ADBBF1FF49314F0980A8E80AAB762DB31ED85CB90

Function 00136B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00136C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00136C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00136C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0011AB79,00000000,00000000), ref: 00136C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00136CC7

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a2e227626560ceda6d579fe1b83cb0b7378c485359ac2cb24121cb68d0460ae4
Instruction ID: 2e6c78434e76646747bd4bbf768dfae86cfd2037959ebf51e8570fced069decf
Opcode Fuzzy Hash: a2e227626560ceda6d579fe1b83cb0b7378c485359ac2cb24121cb68d0460ae4
Instruction Fuzzy Hash: C941C635604104BFDB24CF28CC59FE9BBA5EB0A350F159268F999A73E1C371ED81DA90

Function 000D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000D20C3
_free.LIBCMT ref: 000D20E3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c005b6917ec606225e49079f61697e69d4776f09ac20643627f5c402b13c8b79
Instruction ID: df2557de01ba413d2f09bb8e6218c99a20b6f2a3d9876a9d615ac2da94cc9fed
Opcode Fuzzy Hash: c005b6917ec606225e49079f61697e69d4776f09ac20643627f5c402b13c8b79
Instruction Fuzzy Hash: FB41A336A00300AFCB24DF78C981AADB7E5EF99314B1585AAE515EB352DA31AD01DB90

Function 000B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000B9141
ScreenToClient.USER32(00000000,?), ref: 000B915E
GetAsyncKeyState.USER32(00000001), ref: 000B9183
GetAsyncKeyState.USER32(00000002), ref: 000B919D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 5a7a2d20d96c57c7fb84a5076998b663b3384f4a746b119be956f0a6b77f8b64
Instruction ID: f6ca8f1e5399321ba0054a2668e344061ad6792c7c31af01795dfa5ff3f1a5dc
Opcode Fuzzy Hash: 5a7a2d20d96c57c7fb84a5076998b663b3384f4a746b119be956f0a6b77f8b64
Instruction Fuzzy Hash: A2414F71A0861AFBDF159F68C844BFEB7B4FF05320F208629E529A7290C7346954EB91

Function 00113874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00113922
TranslateMessage.USER32(?), ref: 0011394B
DispatchMessageW.USER32(?), ref: 00113955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00113966

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7aad32be04f060ce4b79913b1c3b93cce4399e9d949f8476239f74f1e18045da
Instruction ID: 9115ca6983becb4fdbe00327b7f39b01243a6527da566573c2b43775804af118
Opcode Fuzzy Hash: 7aad32be04f060ce4b79913b1c3b93cce4399e9d949f8476239f74f1e18045da
Instruction Fuzzy Hash: 9C31A470904349AEEB3DCB349849BF63BB8AB15318F04057DE476925A4E3B4AAC5CB51

Function 0011CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0011C21E,00000000), ref: 0011CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0011CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0011C21E,00000000), ref: 0011CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0011C21E,00000000), ref: 0011CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0011C21E,00000000), ref: 0011CFF2

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 8088bc16f96600448392f5ed13b1bede4aceb278c9dd3d8617530ca1a4140059
Instruction ID: f37587e0f53dffa5ea2bce8d78ec5a50109dcd76c5be79b3e345a543140ffec1
Opcode Fuzzy Hash: 8088bc16f96600448392f5ed13b1bede4aceb278c9dd3d8617530ca1a4140059
Instruction Fuzzy Hash: 75314C71540206AFDB28DFA5C884AEBBBF9EB14350B10443EF516E2141DB30EE82DBA0

Function 00101901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00101915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001019E2

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8ec7e067bd1548d707a386ff2f9f9584b7fbdbb059068a6ab0060fd01fb8dafa
Instruction ID: bb39bded4fc7f432b27f602ba3d777a4f62be4db8b2eafbc8559d14cd442272e
Opcode Fuzzy Hash: 8ec7e067bd1548d707a386ff2f9f9584b7fbdbb059068a6ab0060fd01fb8dafa
Instruction Fuzzy Hash: 2F31C072A00219FFCB04CFA8CD99ADE3BB5FB05319F104229F961A72D1C7B49944DB90

Function 00135706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00135745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0013579D
_wcslen.LIBCMT ref: 001357AF
_wcslen.LIBCMT ref: 001357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00135816

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 871feed6e4b55251a8d4ab42a223bb8d4b98e86e4a7e9330d754436a8bd97ed4
Instruction ID: 7e29049422b320777079474ba2133779461b485d9a67aec2cdecac34d5c68a71
Opcode Fuzzy Hash: 871feed6e4b55251a8d4ab42a223bb8d4b98e86e4a7e9330d754436a8bd97ed4
Instruction Fuzzy Hash: 2C219671904618DADB209FA4CC85AED7BB9FF04B24F508256F919EB1C1E7708AC5CF50

Function 00120930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00120951
GetForegroundWindow.USER32 ref: 00120968
GetDC.USER32(00000000), ref: 001209A4
GetPixel.GDI32(00000000,?,00000003), ref: 001209B0
ReleaseDC.USER32(00000000,00000003), ref: 001209E8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 1a9020eea4d28bcc3e7b4eb7ad73b82fb50dd06ad18d385b7bc8254a63b7026d
Instruction ID: abd49457cb3b08c26bc4351c96492889e4cfcc08d98b4cfacee9e2c472b81678
Opcode Fuzzy Hash: 1a9020eea4d28bcc3e7b4eb7ad73b82fb50dd06ad18d385b7bc8254a63b7026d
Instruction Fuzzy Hash: 8A218475600214AFD704EFA5DC55AAEB7F5EF49700F048078E84AE7762CB30AC44CB90

Function 000DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000DCDE9

Part of subcall function 000D3820: RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000DCE0F
_free.LIBCMT ref: 000DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000DCE31

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a4b3e182e6adcd0921588b23e328918e29543f89e84708118c30c84b20d535a2
Instruction ID: 8176a3238c032af8e68aebd819b06b8c3e3c1e2f326e52735b48fa0957f35149
Opcode Fuzzy Hash: a4b3e182e6adcd0921588b23e328918e29543f89e84708118c30c84b20d535a2
Instruction Fuzzy Hash: A30184B26013167F772116BA6C88D7FBAADEFC6BA1315012BF905D7301EA618D01D2F4

Function 000B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B9693
SelectObject.GDI32(?,00000000), ref: 000B96A2
BeginPath.GDI32(?), ref: 000B96B9
SelectObject.GDI32(?,00000000), ref: 000B96E2

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 057f25ef9e4b9ff0f2c41e265cc4fa36034e21fbbc907d579f3fe6edc5646db6
Instruction ID: 950fbad93d012baee0dfc07337bbeaf01b39234c24fedee049920847eb3aaf69
Opcode Fuzzy Hash: 057f25ef9e4b9ff0f2c41e265cc4fa36034e21fbbc907d579f3fe6edc5646db6
Instruction Fuzzy Hash: 6B218E71802305FBDB119F28EC19BE97BB9FB10319F100216F618A65B0D37098D2DB90

Function 00105711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00105726
_memcmp.LIBVCRUNTIME ref: 00105744
_memcmp.LIBVCRUNTIME ref: 00105757
_memcmp.LIBVCRUNTIME ref: 0010576F
_memcmp.LIBVCRUNTIME ref: 00105787

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d89368569f2ada940297f04ab01e65662139f782c2bcfb9f0796d0c86b34d31c
Instruction ID: 81d457116e1959cf69c722f3d00c5fe1c6b2e93773b31549c819e8d494c79f42
Opcode Fuzzy Hash: d89368569f2ada940297f04ab01e65662139f782c2bcfb9f0796d0c86b34d31c
Instruction Fuzzy Hash: 2101B9B1681605BBD71856109E42FFF735E9F21398F804028FD449A2C3F7E0EE1196A1

Function 000D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000CF2DE,000D3863,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6), ref: 000D2DFD
_free.LIBCMT ref: 000D2E32
_free.LIBCMT ref: 000D2E59
SetLastError.KERNEL32(00000000,000A1129), ref: 000D2E66
SetLastError.KERNEL32(00000000,000A1129), ref: 000D2E6F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 33862968ee2b3595bcb3b7d490bb37f3306564cd415c3e07b07723da35f1009b
Instruction ID: 7bd7699ac510360e7bae6c97d0c274bccc2e8fdf9fb66159a7fc420dd3096a25
Opcode Fuzzy Hash: 33862968ee2b3595bcb3b7d490bb37f3306564cd415c3e07b07723da35f1009b
Instruction Fuzzy Hash: B701F4326057006BC62267746C46DAF27A9ABF13B2B25442BF425A3393EBB0CC414170

Function 0010000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?,?,0010035E), ref: 0010002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?), ref: 00100064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100070

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 239f70ae565c4fc7d60ec929c6f2b7eeb052d36e1697f3f09fd7ef351d093a0a
Instruction ID: 1a365482af7ce64a2fb81e02dfc87f65085c5819d0eb4ccfaca6feb4eb59375b
Opcode Fuzzy Hash: 239f70ae565c4fc7d60ec929c6f2b7eeb052d36e1697f3f09fd7ef351d093a0a
Instruction Fuzzy Hash: 9101A276600204BFDB124F68DC08BAA7AEDEF48791F144128F945E2254DBB1DE808BA0

Function 0010E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0010E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0010E9A5
Sleep.KERNEL32(00000000), ref: 0010E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0010E9B7
Sleep.KERNEL32 ref: 0010E9F3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 70b0b08f9903ebef89c4c0d7028f80542e9917671e3dab0db1ca16280d026213
Instruction ID: 9cd847478cec0b13bfbc79cc8a2534a085504ff25ada9f4ca157d19452f8eccc
Opcode Fuzzy Hash: 70b0b08f9903ebef89c4c0d7028f80542e9917671e3dab0db1ca16280d026213
Instruction Fuzzy Hash: 0A015E31C0162DDBCF00AFE6DD59AEDBBB8FF09705F010956E582B2291CB709694DBA1

Function 001010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00101114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 0010112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0010114D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 73a2681c4a3cfb1882380859939b4a550f8664892dee12f238591f7be99cb281
Instruction ID: 8b8373a8552f9df23d0656df7c741fda964dd43972e145de3eda94c079a3c310
Opcode Fuzzy Hash: 73a2681c4a3cfb1882380859939b4a550f8664892dee12f238591f7be99cb281
Instruction Fuzzy Hash: 8A013C79200215FFDB154FA5DC49E6A3F6EEF893A0B244419FA85E73A0DB71DC409BA0

Function 00100FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00100FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00100FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00100FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00100FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00101002

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 031397b45d817376622508b30420710c7c7437ecc8de95f5072d5989d10ad4dd
Instruction ID: 725bffbaa7c05fef60a1dbfe6e59ff917ca5a6465cd2738419ebe202bf624ea3
Opcode Fuzzy Hash: 031397b45d817376622508b30420710c7c7437ecc8de95f5072d5989d10ad4dd
Instruction Fuzzy Hash: 7DF04939200301FBDB224FA49C49F563BADEF89762F204414FA85E7291CA74DC908BA0

Function 00101014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0010102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00101036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00101045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0010104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00101062

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8f313ff6a1538478430850d1f8be8667fa21f240f29badb804b02b6a583816d4
Instruction ID: aea1216b2ef7f95cb892f4b8e2f0a8b406621d16444601e4ff159546f45191cd
Opcode Fuzzy Hash: 8f313ff6a1538478430850d1f8be8667fa21f240f29badb804b02b6a583816d4
Instruction Fuzzy Hash: A0F06D39200301FBDB215FA4EC49F563BADFF89761F200814FA85E7290CB74D8908BA0

Function 0011030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 00110324
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 00110331
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 0011033E
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 0011034B
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 00110358
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 00110365

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7577300ce8fd59d0807e19a574b868ef9035360eb9e9676f4a84ca771948b613
Instruction ID: 28550576681d9464642cd3a2527de403152a3b41cfeb6943a325547dec219deb
Opcode Fuzzy Hash: 7577300ce8fd59d0807e19a574b868ef9035360eb9e9676f4a84ca771948b613
Instruction Fuzzy Hash: C701EE72800B018FCB31AF66D880842FBF9BF643153058A3FD1A252930C3B1A999CF80

Function 000DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000DD752

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000DD764
_free.LIBCMT ref: 000DD776
_free.LIBCMT ref: 000DD788
_free.LIBCMT ref: 000DD79A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2279e52524bf1be8991ab8d27d00547a798bfb063b21a117e0c658b701728cd4
Instruction ID: c0d75d5aac474684a61265415860962429762912017e6ef896d5675a1942a638
Opcode Fuzzy Hash: 2279e52524bf1be8991ab8d27d00547a798bfb063b21a117e0c658b701728cd4
Instruction Fuzzy Hash: F2F06232548304AB8661EB68FDC5C6AB7DDBB44310B940847F098D7B02D730FC808AB0

Function 00105C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00105C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00105C6F
MessageBeep.USER32(00000000), ref: 00105C87
KillTimer.USER32(?,0000040A), ref: 00105CA3
EndDialog.USER32(?,00000001), ref: 00105CBD

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: aa800b93f4394b5c19fc6cee5f67c8fcee13d6e6111fc9fae859bc4144184e67
Instruction ID: de45e5687e281de8252dc1a907ab907937a5f979231091dba74e59b8a8118924
Opcode Fuzzy Hash: aa800b93f4394b5c19fc6cee5f67c8fcee13d6e6111fc9fae859bc4144184e67
Instruction Fuzzy Hash: CC016D71500B04ABFB255B10DE4FFA67BBDBB00B05F041559E583B15E1DBF4A9848F90

Function 000D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000D22BE

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000D22D0
_free.LIBCMT ref: 000D22E3
_free.LIBCMT ref: 000D22F4
_free.LIBCMT ref: 000D2305

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8919ec3ad16d7f711759ecb71837908de87c9ded78b1bdcd451c5410434c6396
Instruction ID: d3e851eb99c1cb74676163ba1a72f37689d8d19571ea142cb30926107a2c31d2
Opcode Fuzzy Hash: 8919ec3ad16d7f711759ecb71837908de87c9ded78b1bdcd451c5410434c6396
Instruction Fuzzy Hash: F1F0B775811320AB8622AF68AC118A87AB9B72CB61715054BF418D6BB2CB7109D1AEF4

Function 000B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000B95D4
StrokeAndFillPath.GDI32(?,?,000F71F7,00000000,?,?,?), ref: 000B95F0
SelectObject.GDI32(?,00000000), ref: 000B9603
DeleteObject.GDI32 ref: 000B9616
StrokePath.GDI32(?), ref: 000B9631

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5a06d6aaa5aef22b3a2d0ca84852c61077ccecc9c5543418cf6390efab744262
Instruction ID: e32414d5a4074f7292bee47efb1726d766203ba7b7e7551f4470fa500d794790
Opcode Fuzzy Hash: 5a06d6aaa5aef22b3a2d0ca84852c61077ccecc9c5543418cf6390efab744262
Instruction Fuzzy Hash: 79F0E735006748EBDB265F69ED1CBA83FB5AB0132AF048214F669698F0C73089D6DF60

Function 000D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000D10F9
__freea.LIBCMT ref: 000D1117

Part of subcall function 000D1537: _free.LIBCMT ref: 000D154F

Strings

a/p, xrefs: 000D11DE
am/pm, xrefs: 000D117A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 86fa12834ad8307eb9a0a49e2bdcff5fecdcc8a8419ce272d306de5c01bfe5b2
Instruction ID: e3ac88e627c696251f6986223a319d2ef260c7ba016b878b630633f654f823e8
Opcode Fuzzy Hash: 86fa12834ad8307eb9a0a49e2bdcff5fecdcc8a8419ce272d306de5c01bfe5b2
Instruction Fuzzy Hash: 62D1DF75900306AADB689F68C855BFEBBF1EF05300F28411BE9059B791DB759E80CBB1

Function 00127B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 000C0242: EnterCriticalSection.KERNEL32(0017070C,00171884,?,?,000B198B,00172518,?,?,?,000A12F9,00000000), ref: 000C024D
Part of subcall function 000C0242: LeaveCriticalSection.KERNEL32(0017070C,?,000B198B,00172518,?,?,?,000A12F9,00000000), ref: 000C028A

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 000C00A3: __onexit.LIBCMT ref: 000C00A9

__Init_thread_footer.LIBCMT ref: 00127BFB

Part of subcall function 000C01F8: EnterCriticalSection.KERNEL32(0017070C,?,?,000B8747,00172514), ref: 000C0202
Part of subcall function 000C01F8: LeaveCriticalSection.KERNEL32(0017070C,?,000B8747,00172514), ref: 000C0235

Strings

G, xrefs: 00127C7F
Variable must be of type 'Object'., xrefs: 00127C3A
5, xrefs: 00127C78

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: bc5e5db0b7a98a561c869803f6de2554c35bb52a180229d44043c85c59ed99af
Instruction ID: 014372526d9bef4cfd179e6b6b572a4d08c7e57213a4b6537b5d4b1d69119059
Opcode Fuzzy Hash: bc5e5db0b7a98a561c869803f6de2554c35bb52a180229d44043c85c59ed99af
Instruction Fuzzy Hash: 7D917C70A04219EFCB14EF94E991DEEB7B1FF45300F148059F806AB292DB71AE61CB51

Function 000D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 000D5BA8, 000D5C6C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-360213456
Opcode ID: 567ddfac50a8ebce4939871aab97ceeb70fe0ba4965130c8663318ec7aa25c67
Instruction ID: c2eea0daf113cd29c424f9f3b69a923382a6d59e90659e0eb60328c967e09995
Opcode Fuzzy Hash: 567ddfac50a8ebce4939871aab97ceeb70fe0ba4965130c8663318ec7aa25c67
Instruction Fuzzy Hash: 13516D7191070AAFDB219FA8CC45FEE7BB8AF49322F14005BF805A7392D77199419B72

Function 00102716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001021D0,?,?,00000034,00000800,?,00000034), ref: 0010B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00102760

Part of subcall function 0010B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0010B3F8

Part of subcall function 0010B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0010B355
Part of subcall function 0010B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00102194,00000034,?,?,00001004,00000000,00000000), ref: 0010B365
Part of subcall function 0010B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00102194,00000034,?,?,00001004,00000000,00000000), ref: 0010B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0010281A

Strings

@, xrefs: 00102832

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4a7ec7d3e0e3ecb4bef8b3ed803c56438de28cc0eff45f3186691bedf4654255
Instruction ID: 11ac3a46e55cdf3bfcd3851eb6b4b50a367dc42c153233442c8b10bfcf4890c1
Opcode Fuzzy Hash: 4a7ec7d3e0e3ecb4bef8b3ed803c56438de28cc0eff45f3186691bedf4654255
Instruction Fuzzy Hash: BA411F76900218AFDB10DFA4CD85EDEBBB8EF15700F108055FA95B7191DBB06E45CBA1

Function 000D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 000D1769
_free.LIBCMT ref: 000D1834
_free.LIBCMT ref: 000D183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 000D1760, 000D1767, 000D1796, 000D17CE

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: bea5434ec98b984c26fa748818f586a117ccfd9ef8a8ec6dd766434fe4c2080a
Instruction ID: 459861284d9bb02f3426238a3e08f43ac3480ac38004bae4a6ec5463ced51e8f
Opcode Fuzzy Hash: bea5434ec98b984c26fa748818f586a117ccfd9ef8a8ec6dd766434fe4c2080a
Instruction Fuzzy Hash: 0D316F75A04319BBDB21DB99D885DDEBBFCEB95310B2441A7F404D7312DE708A80DBA0

Function 0010C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0010C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0010C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00171990,00C85210), ref: 0010C395

Strings

0, xrefs: 0010C2DF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 32526b84611ebb39a7abe843e7a53eff3e3796e32fb2b0b42ac2f0de311f9d18
Instruction ID: 11c00415a21982d591180c53847fba2421d52bb6f199c9b834e1f6962003fb00
Opcode Fuzzy Hash: 32526b84611ebb39a7abe843e7a53eff3e3796e32fb2b0b42ac2f0de311f9d18
Instruction Fuzzy Hash: CF418E312043019FDB24DF25D884B5ABBE4BF85320F148B1DF9A59B2D2D7B0A904CFA2

Function 00134416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0013CC08,00000000,?,?,?,?), ref: 001344AA
GetWindowLongW.USER32 ref: 001344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001344D7

Strings

SysTreeView32, xrefs: 0013447C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7f28faa38463a0d1a6c6e389b00d6a54f3de0dd24eb8a70d274e56607148ca32
Instruction ID: 6522b1f5d5139022e3ac1364d50a0d148accf91ca06b88e424546a9d8086cf53
Opcode Fuzzy Hash: 7f28faa38463a0d1a6c6e389b00d6a54f3de0dd24eb8a70d274e56607148ca32
Instruction Fuzzy Hash: 2E317E72210605AFDB219F78DC45BEA77A9EB09334F204725F975A21D1D770EC909790

Function 0012304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0012335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00123077,?,?), ref: 00123378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0012307A
_wcslen.LIBCMT ref: 0012309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00123106

Strings

255.255.255.255, xrefs: 00123095, 0012309A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: bcb119dc5edf5e21c08cc5444ad063d436debe58ba7f6bad7501aed4628cfe9f
Instruction ID: c87c69f433e41119bc83001ea4451c02b4c5e7c6b3440e7e49549d4193165cb9
Opcode Fuzzy Hash: bcb119dc5edf5e21c08cc5444ad063d436debe58ba7f6bad7501aed4628cfe9f
Instruction Fuzzy Hash: 743104352002219FCB10CF68D486EAA77E0EF14318F258099E8258B392DB3AEF51C770

Function 00133EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00133F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00133F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00133F78

Strings

SysMonthCal32, xrefs: 00133F0B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: da5140abdf4b30b86f07a502371fe014bc69f80e16318d6b32b9e77fc5c004a1
Instruction ID: 296f7e703401e590c0f3b4235258582e49badb1d849268d075abbe4f0e835601
Opcode Fuzzy Hash: da5140abdf4b30b86f07a502371fe014bc69f80e16318d6b32b9e77fc5c004a1
Instruction Fuzzy Hash: C2219C32600219BFDF259F94DC46FEA3B79EB48724F110214FA19AB1D0D7B1A9908BA0

Function 00134653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00134705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00134713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0013471A

Strings

msctls_updown32, xrefs: 00134684

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3f8df3bc0b5b0a2b89d891ab73eb290abf567fc56753f91d2fe45e308d240ef6
Instruction ID: 7f2e732e9b6c8a8dd9e48a949d8cc4f048d41ec9129c99040887163171965e15
Opcode Fuzzy Hash: 3f8df3bc0b5b0a2b89d891ab73eb290abf567fc56753f91d2fe45e308d240ef6
Instruction Fuzzy Hash: 52213EB5600209AFDB11DF68DC91DA737ADEB5A3A8B140059FA059B291CB71FC51CA60

Function 001095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0010961D

Strings

#requireadmin, xrefs: 001095D9
#notrayicon, xrefs: 001095B7
#OnAutoItStartRegister, xrefs: 001095F3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 474640e0e523d7dd20e937d534333ee0d5b13519d00c1c26c25a830a80c8fbae
Instruction ID: 688205dc393a152d8d147cdf6479996cf7dae72aec58e4f7c40bf5486c32fec1
Opcode Fuzzy Hash: 474640e0e523d7dd20e937d534333ee0d5b13519d00c1c26c25a830a80c8fbae
Instruction Fuzzy Hash: DE21057220461166D331BB259C22FFBB398AF95310F14842AF9C9971C3EBE2AD42D3D5

Function 001337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00133840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00133850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00133876

Strings

Listbox, xrefs: 0013380F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 4c18530e6d3cc6f2d8452cf7ece59fc018b2406f9d77682afd148d1ccfe24a04
Instruction ID: f1261bd63f1e919c923e3389f1eb658fe0a3450c7f0e51540610a647ddbfc315
Opcode Fuzzy Hash: 4c18530e6d3cc6f2d8452cf7ece59fc018b2406f9d77682afd148d1ccfe24a04
Instruction Fuzzy Hash: AA218E72610218BBEF218F54DC85FAB376AEF89764F118224F9149B190C772DC5287A4

Function 001149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00114A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00114A5C
SetErrorMode.KERNEL32(00000000,?,?,0013CC08), ref: 00114AD0

Strings

%lu, xrefs: 00114A6F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 722b3b0ea920dc42f2ce2cb09443b987efc96631b4c9a51b314abc3a12b3b601
Instruction ID: 6c301a55250d809846b7f1c5bc794a349afac3522149db824e73bf1ec14a7968
Opcode Fuzzy Hash: 722b3b0ea920dc42f2ce2cb09443b987efc96631b4c9a51b314abc3a12b3b601
Instruction Fuzzy Hash: D3317375A00109AFDB10DF54C885EEA7BF8EF05318F1480A5F509EB252D771ED45CBA1

Function 001341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0013424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00134264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00134271

Strings

msctls_trackbar32, xrefs: 00134226

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 456cafb93c10b776d08ff50719a63e18fce0c09efc821c9e1dbebd6d29000158
Instruction ID: 2b99d3092693c29edb3a234f6cdac88f5e53cfb031e6b35ef3a5fd8cf5e28392
Opcode Fuzzy Hash: 456cafb93c10b776d08ff50719a63e18fce0c09efc821c9e1dbebd6d29000158
Instruction Fuzzy Hash: E611E371240208BFEF205F69DC06FAB3BACEF95B54F010114FA55E20A0D371E8519B10

Function 00102F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Part of subcall function 00102DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00102DC5
Part of subcall function 00102DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00102DD6
Part of subcall function 00102DA7: GetCurrentThreadId.KERNEL32 ref: 00102DDD
Part of subcall function 00102DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00102DE4

GetFocus.USER32 ref: 00102F78

Part of subcall function 00102DEE: GetParent.USER32(00000000), ref: 00102DF9

GetClassNameW.USER32(?,?,00000100), ref: 00102FC3
EnumChildWindows.USER32(?,0010303B), ref: 00102FEB

Strings

%s%d, xrefs: 00102FFF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d5f142b40108d42dd4fea8fa58af7df47cce57128e0ef18be9a83da6c123b964
Instruction ID: f89f7f1a952425f14b1f4f2311766c04f25626c0792db2caedf00c9d46e2640a
Opcode Fuzzy Hash: d5f142b40108d42dd4fea8fa58af7df47cce57128e0ef18be9a83da6c123b964
Instruction Fuzzy Hash: 0611B4B17002056BCF157FB08C8AEEE776EAF95304F048075F95AAB292DFB199458B70

Function 00135882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001358EE
DrawMenuBar.USER32(?), ref: 001358FD

Strings

0, xrefs: 0013588F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 41f7a2f8d12f9d506a7b36dd20edf278699a9f7e2552cf83c64d88679262a679
Instruction ID: cc513d5c4589d66f898bf9883adda3df0172d02e7b7c5b5331f3dba619bb0a5f
Opcode Fuzzy Hash: 41f7a2f8d12f9d506a7b36dd20edf278699a9f7e2552cf83c64d88679262a679
Instruction Fuzzy Hash: F2018031600218EFDB219F11DC44BEEBBB5FF45764F108099E849E6151DB308A94DF71

Function 0010007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fff3a1674316ccd41b81010c8fbb3339a3c7986b80c6aa685646cfe187bc3d9
Instruction ID: 96e544a2d680d1dcfb9a581a391b8bd7509bc12be4c672817bdc1ac291a40f0f
Opcode Fuzzy Hash: 1fff3a1674316ccd41b81010c8fbb3339a3c7986b80c6aa685646cfe187bc3d9
Instruction Fuzzy Hash: B4C13875A0020AEFDB16CFA4C894BAEB7B5FF48304F118598E545EB291D771EE81CB90

Function 000D3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000D3F0B
__alldvrm.LIBCMT ref: 000D410C
__alldvrm.LIBCMT ref: 000D412E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 204ccc89260f222d6e5b9ef81836126c12bea21329a49f6b68b0757e1f3727db
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 1DA13776E043869FDB25CF18C8917AEBFE5EF65350F18416FE5859B382C2348981C761

Function 0012342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00123459
CoUninitialize.OLE32 ref: 00123463
VariantInit.OLEAUT32(?), ref: 0012346E
VariantClear.OLEAUT32(?), ref: 0012371B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 23c06740b2df04a83440b6c3503e9529e40c5889652c9022fb61842fbbfc3d3d
Instruction ID: 58605956b33cf638d9f7a34b6b3c08ffdb59750dc1eb696d4ea2dc8f2db8fb18
Opcode Fuzzy Hash: 23c06740b2df04a83440b6c3503e9529e40c5889652c9022fb61842fbbfc3d3d
Instruction Fuzzy Hash: 04A19B756047109FCB00EF68D885A6AB7E5FF89310F04885DF99A9B362DB74EE01CB91

Function 00100436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0013FC08,?), ref: 001005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0013FC08,?), ref: 00100608
CLSIDFromProgID.OLE32(?,?,00000000,0013CC40,000000FF,?,00000000,00000800,00000000,?,0013FC08,?), ref: 0010062D
_memcmp.LIBVCRUNTIME ref: 0010064E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f793697a1ea756d06e8c65318cf07185bb74b030bb872b88f3e5cf7c3039b966
Instruction ID: 33d5f51712e0c0d90dc0ccd20c2b9cdeaca6f686d6c42650744de4185d4d66ac
Opcode Fuzzy Hash: f793697a1ea756d06e8c65318cf07185bb74b030bb872b88f3e5cf7c3039b966
Instruction Fuzzy Hash: 9C811A71A00109EFCB05DF94C984EEEB7B9FF89315F204598E546EB290DB71AE46CB60

Function 0012A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0012A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0012A6BA

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0012A79C
CloseHandle.KERNEL32(00000000), ref: 0012A7AB

Part of subcall function 000BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000E3303,?), ref: 000BCE8A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 270027c6c6f6b0fec09d0488d25b729b56bacc5a9358de3dd7a2de9c62c6645a
Instruction ID: abc1f91a5ab147e9ed112dc3920c7f49954f9c89a89a6fcef00ee74f57eeaad7
Opcode Fuzzy Hash: 270027c6c6f6b0fec09d0488d25b729b56bacc5a9358de3dd7a2de9c62c6645a
Instruction Fuzzy Hash: 41517DB15083109FD310EF64D886AABBBE8FF89754F40892DF58997252EB30D904CB92

Function 000E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000E14C0

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cfdd6106b521b17e8a165fdc99d810bd20e307e55b1595c8091cda96bd416c7b
Instruction ID: 077857b7e786818166a4bf87062860bcc9920cab47f207c32f104f784895f4c5
Opcode Fuzzy Hash: cfdd6106b521b17e8a165fdc99d810bd20e307e55b1595c8091cda96bd416c7b
Instruction Fuzzy Hash: 5E414D71600651AFDB256BBA8C45FFE3AE5EF41330F14022AF419F63D3E63489419272

Function 00136278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001362E2
ScreenToClient.USER32(?,?), ref: 00136315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00136382

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c1aa7f794e3be6821b2916f4ab9a5bf268c5b58e0db4cc8e84dedcbc18df197e
Instruction ID: 8c686f5608ce5846c2e9b53b25d46ea3fca3392f8c02a2e4593cda4884319dce
Opcode Fuzzy Hash: c1aa7f794e3be6821b2916f4ab9a5bf268c5b58e0db4cc8e84dedcbc18df197e
Instruction Fuzzy Hash: 70512B75A00209EFDF10DF68D881AAE7BB5FF55364F108169F9599B2A0D730ED81CB90

Function 00121AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00121AFD
WSAGetLastError.WSOCK32 ref: 00121B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00121B8A
WSAGetLastError.WSOCK32 ref: 00121B94

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: c19988f67c1b913ce402ee2275443aa8fde232b38668dd7569efe1bb27d7316d
Instruction ID: 39436a7785e49ddde230a1ffc981c519a8cc5a9203ea9a93f309396d5875d056
Opcode Fuzzy Hash: c19988f67c1b913ce402ee2275443aa8fde232b38668dd7569efe1bb27d7316d
Instruction Fuzzy Hash: 1E41E074600200AFE720EF20D886FAA77F5AB45718F548498F91A9F3D3D772ED418B90

Function 000DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024c6d88904dd7973ebe2624f2e17896c3cfaff6b4697010d1cc0e77062e4b14
Instruction ID: aa673ad26813d7d76c3d9634af46d1e6c5301a168ede8fddb31a50871f0cddbd
Opcode Fuzzy Hash: 024c6d88904dd7973ebe2624f2e17896c3cfaff6b4697010d1cc0e77062e4b14
Instruction Fuzzy Hash: 5541AF75A00744EFD724EF78C841BAEBBE9EB88710F11452FF5519B392D77199018BA0

Function 001156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00115783
GetLastError.KERNEL32(?,00000000), ref: 001157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001157FA

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 36ddc5b3d09fec3c2b89ecf480d7b4985af7094cb5c70a0d0e1dbb7f6be52c2a
Instruction ID: 43fb0b098149c1a9879e9c936973ce291ffb6c849a7f6bf69ace3edce9dae400
Opcode Fuzzy Hash: 36ddc5b3d09fec3c2b89ecf480d7b4985af7094cb5c70a0d0e1dbb7f6be52c2a
Instruction Fuzzy Hash: 28411039600A10DFCB15EF65C545A9EBBE2EF89310F59C498E84A6B362CB74FD40CB91

Function 000DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,000C6D71,00000000,00000000,000C82D9,?,000C82D9,?,00000001,000C6D71,8BE85006,00000001,000C82D9,000C82D9), ref: 000DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000DD9AB
__freea.LIBCMT ref: 000DD9B4

Part of subcall function 000D3820: RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: fdbad9e0edf8f34a3f5b05560dc7c088e3f44daa4d445b75d108b17b3b412931
Instruction ID: df1c12e02f83e74194d9dd8eb3f599d269fbcc83f2d09510c934e3cbb5e6b2e8
Opcode Fuzzy Hash: fdbad9e0edf8f34a3f5b05560dc7c088e3f44daa4d445b75d108b17b3b412931
Instruction Fuzzy Hash: 4E31AE72A0030AABDB259F65DC91EEEBBA5EB40310B05416AFC04D6251EB36DD50DBA0

Function 001352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00135352
GetWindowLongW.USER32(?,000000F0), ref: 00135375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00135382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001353A8

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 785f17122ad1a91f151c12b677740d51f5d94bf2619e11ce0dd7c883efc9e210
Instruction ID: f8e0b6f2c8b06241ec3d30f11f578a916a4799bf7cdf27f30721829bbf649880
Opcode Fuzzy Hash: 785f17122ad1a91f151c12b677740d51f5d94bf2619e11ce0dd7c883efc9e210
Instruction Fuzzy Hash: BF31A034A95A08EFEF349A18CC46BE877A7FB05BD0F584101FA11962E1C7B09980DB82

Function 0010AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0010ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0010AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0010AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0010ACC6

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b57291981f44831609d2123f8f1af0e3255498f44254df17a133d0eb27415a44
Instruction ID: 72bf50a1c92253f332ab936f1c301e425beb099fc1d2213cf87c21fe07f32127
Opcode Fuzzy Hash: b57291981f44831609d2123f8f1af0e3255498f44254df17a133d0eb27415a44
Instruction Fuzzy Hash: F9314630A04718AFFF35CB64CD097FE7BA5AF89310F85431AE4C5962D1C3B499858792

Function 00137674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0013769A
GetWindowRect.USER32(?,?), ref: 00137710
PtInRect.USER32(?,?,00138B89), ref: 00137720
MessageBeep.USER32(00000000), ref: 0013778C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d9cf9ce0fb40c0f7c7de59bec65cae248203d76a469a20c9bc4e8bda217f530c
Instruction ID: 57a3007e72554af2b837d47b0974f98f0e1297d14f75354a294771ac78bb6f05
Opcode Fuzzy Hash: d9cf9ce0fb40c0f7c7de59bec65cae248203d76a469a20c9bc4e8bda217f530c
Instruction Fuzzy Hash: 4E41C0B4609254EFCB21CF58C899FA97BF4FF49314F1540A8E5149B2A1C330E982CF90

Function 001316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001316EB

Part of subcall function 00103A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00103A57
Part of subcall function 00103A3D: GetCurrentThreadId.KERNEL32 ref: 00103A5E
Part of subcall function 00103A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001025B3), ref: 00103A65

GetCaretPos.USER32(?), ref: 001316FF
ClientToScreen.USER32(00000000,?), ref: 0013174C
GetForegroundWindow.USER32 ref: 00131752

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 30ebcf6cd7e9c1acd5137b0bfd3b81d8fe427eab8bc012c78012f7decfeeaacc
Instruction ID: bf3cc05da811949e1014022267dd91eea6a338cf224a282e5512e3fd1a775806
Opcode Fuzzy Hash: 30ebcf6cd7e9c1acd5137b0bfd3b81d8fe427eab8bc012c78012f7decfeeaacc
Instruction Fuzzy Hash: 76315071E00149AFDB04EFA9C881CEEBBFDEF49304B5480A9E415E7212D7319E45CBA0

Function 00138FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

GetCursorPos.USER32(?), ref: 00139001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000F7711,?,?,?,?,?), ref: 00139016
GetCursorPos.USER32(?), ref: 0013905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000F7711,?,?,?), ref: 00139094

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9d82453810c7fec02d637f9a661fcfe3fb504ab6ac0215735b8c502a29e1feef
Instruction ID: 795188670b3fcf98ae6c3e908ec92128c49a6db6d5c826604162fd0c841587ed
Opcode Fuzzy Hash: 9d82453810c7fec02d637f9a661fcfe3fb504ab6ac0215735b8c502a29e1feef
Instruction Fuzzy Hash: BA21DE35600118FFCB298FA8CC58EFA3FB9EF89350F004069FA059B261C3719990DBA0

Function 0010D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0013CB68), ref: 0010D2FB
GetLastError.KERNEL32 ref: 0010D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0010D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0013CB68), ref: 0010D376

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: feaec88124c082e6dcaf17cb2e77d761959f572555bbcd402980da5b8a8a12e7
Instruction ID: a72f1e53d8c3593e04007295d3f6f32981371a28562341e7b91ee07a360bf0bf
Opcode Fuzzy Hash: feaec88124c082e6dcaf17cb2e77d761959f572555bbcd402980da5b8a8a12e7
Instruction Fuzzy Hash: 3F218DB05083019FC710DFA8D8818AAB7E4BF56364F504A1DF499DB2E2DB70D946CB93

Function 00101571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00101014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0010102A
Part of subcall function 00101014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00101036
Part of subcall function 00101014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00101045
Part of subcall function 00101014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0010104C
Part of subcall function 00101014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00101062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001015BE
_memcmp.LIBVCRUNTIME ref: 001015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00101617
HeapFree.KERNEL32(00000000), ref: 0010161E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f551aa24ee83db5457eac327b728b2d1b85afe43d5eadd5215af4f4802e331e1
Instruction ID: 8cebf00b8fd164246177b0849d374b9e7270d43ac8ab044db30d4aaf8b40f7f3
Opcode Fuzzy Hash: f551aa24ee83db5457eac327b728b2d1b85afe43d5eadd5215af4f4802e331e1
Instruction Fuzzy Hash: 84217A31E00108FFDB14DFA4CD45BEEB7B8EF45344F084459E481AB281E7B5AA45DBA0

Function 00132782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0013280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00132824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00132832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00132840

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ed00f7796db16c6a51ae430251add8041fe04b1a3bba1d789b3b1515c43b78f0
Instruction ID: 128e79fa7c244c935962684c4a768e7e4141071b0abd7b245c64e611cd0f07d9
Opcode Fuzzy Hash: ed00f7796db16c6a51ae430251add8041fe04b1a3bba1d789b3b1515c43b78f0
Instruction Fuzzy Hash: 8A21D031304511AFD714AB24C855FAA7B95BF96324F148158F42A8B6E2CB71FC82CBD0

Function 001078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00108D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0010790A,?,000000FF,?,00108754,00000000,?,0000001C,?,?), ref: 00108D8C
Part of subcall function 00108D7D: lstrcpyW.KERNEL32(00000000,?,?,0010790A,?,000000FF,?,00108754,00000000,?,0000001C,?,?,00000000), ref: 00108DB2
Part of subcall function 00108D7D: lstrcmpiW.KERNEL32(00000000,?,0010790A,?,000000FF,?,00108754,00000000,?,0000001C,?,?), ref: 00108DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00108754,00000000,?,0000001C,?,?,00000000), ref: 00107923
lstrcpyW.KERNEL32(00000000,?,?,00108754,00000000,?,0000001C,?,?,00000000), ref: 00107949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00108754,00000000,?,0000001C,?,?,00000000), ref: 00107984

Strings

cdecl, xrefs: 0010797B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 255c9758e2489b23fc4ed5f7a310865470eba03d568115b5a675aa1976e06146
Instruction ID: 5907ad5d34dbf5b0f9cc2bce89558c996b09a4951e5afd323b99da2e4e0433c0
Opcode Fuzzy Hash: 255c9758e2489b23fc4ed5f7a310865470eba03d568115b5a675aa1976e06146
Instruction Fuzzy Hash: 6911293A204342ABCB156F34CC45D7A77A5FF45364B00402AF882C72E4EF71D811D7A1

Function 00137CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00137D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00137D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00137D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0011B7AD,00000000), ref: 00137D6B

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b2d2bd53f40c2e4ed2d0601e60d4562bd2baac08690d53d04ce8f82a9e26ee9a
Instruction ID: d9a5b9342352a3133a51a44086ae27196659bead777052d458a0a05ca3842c97
Opcode Fuzzy Hash: b2d2bd53f40c2e4ed2d0601e60d4562bd2baac08690d53d04ce8f82a9e26ee9a
Instruction Fuzzy Hash: 3311E1B2204695AFCB208F68CC04EA63BA4BF45360F118728F939D72F0D7308D91DB80

Function 00135660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001356BB
_wcslen.LIBCMT ref: 001356CD
_wcslen.LIBCMT ref: 001356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00135816

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0c52c957c05124590a745d9cbd175dd2bd27c56d41b267ca92e9b3b1bfd6675a
Instruction ID: 7048cca592f93289ba72545d4b1ffe8e18ff8b6d414bb90d64dbcd8c728b0e97
Opcode Fuzzy Hash: 0c52c957c05124590a745d9cbd175dd2bd27c56d41b267ca92e9b3b1bfd6675a
Instruction Fuzzy Hash: 8411E6B1A00618A6DF20DF65CC86EEE77BDFF11B64F50406AF915E6081EB70CA84CB60

Function 000D1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2a2614d455d0b1eb0970ccf00494b55389bb607a03ab0e4b5cc1a7f6af20ab
Instruction ID: 0d05ab3ebc88f77d114041808aa941dbddcf0275bcb36704837984eff48df1da
Opcode Fuzzy Hash: aa2a2614d455d0b1eb0970ccf00494b55389bb607a03ab0e4b5cc1a7f6af20ab
Instruction Fuzzy Hash: 97014BB22097167EF66126B86CC1FAB769EDF513B8B340327F522A13D2DF608C409170

Function 00101A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00101A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00101A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00101A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00101A8A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 92dad9a03b47db2d09480b5707e6abd2be9a824ebd296f3707149b273a7ac1d6
Instruction ID: ab2720e67c8dcdd520cf10a30bfea9f4364fe29d1c705be1d7be754d6c114e36
Opcode Fuzzy Hash: 92dad9a03b47db2d09480b5707e6abd2be9a824ebd296f3707149b273a7ac1d6
Instruction Fuzzy Hash: 1711273AA01219FFEB109BA4CD85FADBB79FB08750F200091EA00B7290D7B16E50DB94

Function 0010E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0010E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0010E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0010E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0010E24D

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 7122d537ba49e07fc8038ba4d2c902a29d05798893bc5c2b7778afa67c607deb
Instruction ID: 35b9650919f5fb094e86fac97128f8949ae4b50af176eeb05dc92be42a54a07f
Opcode Fuzzy Hash: 7122d537ba49e07fc8038ba4d2c902a29d05798893bc5c2b7778afa67c607deb
Instruction Fuzzy Hash: 9A110476904214BBC7019BACAC09A9F7FADAB45324F004629F828E36D1D3B0C9808BA0

Function 000CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,000CCFF9,00000000,00000004,00000000), ref: 000CD218
GetLastError.KERNEL32 ref: 000CD224
__dosmaperr.LIBCMT ref: 000CD22B
ResumeThread.KERNEL32(00000000), ref: 000CD249

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 253960b3b9b93ae7f46879bff7407cbc7b7ebff107455bb3d2d5f864801b59e6
Instruction ID: 240767ca1498ced2c8899cfba3cc2ed04bcb5105b1fc311fa84fb5b2e139e90b
Opcode Fuzzy Hash: 253960b3b9b93ae7f46879bff7407cbc7b7ebff107455bb3d2d5f864801b59e6
Instruction Fuzzy Hash: 0B01D276805204BBDB215BA5DC09FEE7AADEF91330F20022EF925961E1CB70C941D7A1

Function 000A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000A604C
GetStockObject.GDI32(00000011), ref: 000A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 000A606A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 10e4e84a849bd21f6c6cdb5475db0b2737dbf0e07a28faa371b31fcaee7de5f7
Instruction ID: 717134b0b041c200491f683294ece789d4877291d9263270181d07d37b20f4e9
Opcode Fuzzy Hash: 10e4e84a849bd21f6c6cdb5475db0b2737dbf0e07a28faa371b31fcaee7de5f7
Instruction Fuzzy Hash: 32116172501549BFEF124FA49C54EEB7BB9EF09354F050115FA1462110D732ACE0DB90

Function 000C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 000C3B56

Part of subcall function 000C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 000C3AD2
Part of subcall function 000C3AA3: ___AdjustPointer.LIBCMT ref: 000C3AED

_UnwindNestedFrames.LIBCMT ref: 000C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 000C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 000C3BA4

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 9328fe6b1e6bb74c08b74113cc2566f346110a4cbbe64037f6b583c0ca7dd5f7
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: EF01C532100149BBDF125F95CC46EEF7BA9EF58754F048018FE4856122C736E961ABA0

Function 000D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000A13C6,00000000,00000000,?,000D301A,000A13C6,00000000,00000000,00000000,?,000D328B,00000006,FlsSetValue), ref: 000D30A5
GetLastError.KERNEL32(?,000D301A,000A13C6,00000000,00000000,00000000,?,000D328B,00000006,FlsSetValue,00142290,FlsSetValue,00000000,00000364,?,000D2E46), ref: 000D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000D301A,000A13C6,00000000,00000000,00000000,?,000D328B,00000006,FlsSetValue,00142290,FlsSetValue,00000000), ref: 000D30BF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 989163d035e3d542f6b4d9859e6d36d37f7e9f1a864a7fa135906e4d6623a3f2
Instruction ID: 5f0e910354f85a67ff5f1056d3e34cd7d1cf8257d0a8a84fb9de961bc3cb61ba
Opcode Fuzzy Hash: 989163d035e3d542f6b4d9859e6d36d37f7e9f1a864a7fa135906e4d6623a3f2
Instruction Fuzzy Hash: CA01D432301322ABCB314AB8AC54A577F98AF05B61B140621F905F3740C721D981C7F1

Function 00107464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0010747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00107497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001074CA

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 65c71bd88573036e21875c51781eac8d66b281d4f9de371eef64021c5b05f51d
Instruction ID: 9e1de0dcfb0a3140d9226e5d6f8780fe1cfd0347705d1e3376a03db360f249ed
Opcode Fuzzy Hash: 65c71bd88573036e21875c51781eac8d66b281d4f9de371eef64021c5b05f51d
Instruction Fuzzy Hash: E8116DB5A09315ABE7208F14EC09BA27BFCEB00B04F108569A696E65D1D7B0F944DBA0

Function 0010B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0010ACD3,?,00008000), ref: 0010B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0010ACD3,?,00008000), ref: 0010B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0010ACD3,?,00008000), ref: 0010B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0010ACD3,?,00008000), ref: 0010B126

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: db0f5b2ba369a20fcf9cded8a8a82e887912fda200de65d33bf5df0bb76318ee
Instruction ID: e2b0dcce98dfd3819884b4c1c263863398a6eb5a77d9581e52d2b7c40c60c2b9
Opcode Fuzzy Hash: db0f5b2ba369a20fcf9cded8a8a82e887912fda200de65d33bf5df0bb76318ee
Instruction Fuzzy Hash: 26116D71C0552CEBCF04AFE4E9A8AEEBB78FF09711F114085E981B2185CBB056A09B91

Function 00137E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00137E33
ScreenToClient.USER32(?,?), ref: 00137E4B
ScreenToClient.USER32(?,?), ref: 00137E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00137E8A

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 74fdc79c346a7e7da76df0319b6ec7e43611a08c86321b7e217079ae69aa0cfb
Instruction ID: d12dc7bef835ac8427d5a741ed4a7b7446622d52f122f0aa233a268862932b6a
Opcode Fuzzy Hash: 74fdc79c346a7e7da76df0319b6ec7e43611a08c86321b7e217079ae69aa0cfb
Instruction Fuzzy Hash: AB1143B9D0024AAFDB51CF98C8849EEBBF5FB18310F505066E915E2610D735AA94CF90

Function 00102DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00102DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00102DD6
GetCurrentThreadId.KERNEL32 ref: 00102DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00102DE4

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 23a6b86cc74c4a33f2a5087bbd1dbad8d8697d2d1797479fd94edc99fe5d195e
Instruction ID: e360e28f9c268a567858804e61057e09a14136e76ad021d91c633af9c7c8f669
Opcode Fuzzy Hash: 23a6b86cc74c4a33f2a5087bbd1dbad8d8697d2d1797479fd94edc99fe5d195e
Instruction Fuzzy Hash: 61E0EDB1501624BADB202BA29C0EEEB7E6CEB56BA1F400115F505E15909AA5C981D7F1

Function 00138863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B9693
Part of subcall function 000B9639: SelectObject.GDI32(?,00000000), ref: 000B96A2
Part of subcall function 000B9639: BeginPath.GDI32(?), ref: 000B96B9
Part of subcall function 000B9639: SelectObject.GDI32(?,00000000), ref: 000B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00138887
LineTo.GDI32(?,?,?), ref: 00138894
EndPath.GDI32(?), ref: 001388A4
StrokePath.GDI32(?), ref: 001388B2

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 93afa9712a4c6ef4b467ee43d0e86029c43032a1f25a7efc94d65e37fd286c6c
Instruction ID: c08bcb6b6362ca3f7aee49acc89dd5afdc8868ab158bc051e5652c73adfdbef8
Opcode Fuzzy Hash: 93afa9712a4c6ef4b467ee43d0e86029c43032a1f25a7efc94d65e37fd286c6c
Instruction Fuzzy Hash: 6BF05E3A045658FADB125F98AC09FCE3F69AF06310F048040FB16754E2C7755591DFE9

Function 000B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000B98CC
SetTextColor.GDI32(?,?), ref: 000B98D6
SetBkMode.GDI32(?,00000001), ref: 000B98E9
GetStockObject.GDI32(00000005), ref: 000B98F1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 598072ce3154aabdf4e8ecdb688d644d4ff760695dbc52c54649805755cdf758
Instruction ID: 42433165f7371066ba8e52641fbffd5c3b9e99d00f57d43c6e8b6d48e22d72a4
Opcode Fuzzy Hash: 598072ce3154aabdf4e8ecdb688d644d4ff760695dbc52c54649805755cdf758
Instruction Fuzzy Hash: 4AE09B31244644EEDF615B78FC09BE83F51EB51335F048219F7F9644E1C3714680AB11

Function 0010162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00101634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001011D9), ref: 0010163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001011D9), ref: 00101648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001011D9), ref: 0010164F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1426ae9ba45a1b608d270e82be156d82652f69d4219061fd8fb5d69005e25f40
Instruction ID: 404aeca85df1df49b15dfa27a1fc23e3a1146e0b1403fd8441a7648f915e8650
Opcode Fuzzy Hash: 1426ae9ba45a1b608d270e82be156d82652f69d4219061fd8fb5d69005e25f40
Instruction Fuzzy Hash: 1EE08636601211EBD7201FA09D0DB873B7CAF54791F144808F285E9080D7B88484C790

Function 000FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000FD858
GetDC.USER32(00000000), ref: 000FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000FD882
ReleaseDC.USER32(?), ref: 000FD8A3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 03c980cd22ca90af33434387255933e83e5b3a4ea11210fdf45323ab459d11c5
Instruction ID: 0473f812aa00620f719f1d3655a1c6a040edb080c3b294184eb5375a4bef678a
Opcode Fuzzy Hash: 03c980cd22ca90af33434387255933e83e5b3a4ea11210fdf45323ab459d11c5
Instruction Fuzzy Hash: 7BE01AB5800204DFCB51AFA0D80DA6DBBB2FB08310F208019F846F7760CB388981AF80

Function 000FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000FD86C
GetDC.USER32(00000000), ref: 000FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000FD882
ReleaseDC.USER32(?), ref: 000FD8A3

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1b69cf8b4fbfe2734026c6a778e8b8e06bb695495ba4443fad3922051fdeaa54
Instruction ID: 1475d017fa3cdc959bdcddc81594fb494f9e30f180a5414136edafc763fe56a5
Opcode Fuzzy Hash: 1b69cf8b4fbfe2734026c6a778e8b8e06bb695495ba4443fad3922051fdeaa54
Instruction Fuzzy Hash: BCE092B5800604EFCB51AFA0D84DAADBBB5BB08311F148459F94AF7760DB389981AF90

Function 00114D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 000A7620: _wcslen.LIBCMT ref: 000A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00114ED4

Strings

*, xrefs: 00114E10
LPT, xrefs: 00114DFB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e5da06fb5e36789d4ce19214280d7868c9b8a884835f846821f27bd8605b6dc8
Instruction ID: 0fba50a4f5031d872d4380f9288d07b46e63030bb9e54c49754e8b75768c5fb0
Opcode Fuzzy Hash: e5da06fb5e36789d4ce19214280d7868c9b8a884835f846821f27bd8605b6dc8
Instruction Fuzzy Hash: 41916175A002059FCB18DF58C484EE9BBF1BF45704F1980A9E40A9F3A2D775ED86CB91

Function 000BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 000BE1B1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 780bf97e986c8d8e380c03c1dbb182d0a9eabb61ff2cd9967399ebb9eadea916
Instruction ID: 213defc3ca08a82861b16ada66b898db5e216cd7a64d28bac871c6cdac46bd4e
Opcode Fuzzy Hash: 780bf97e986c8d8e380c03c1dbb182d0a9eabb61ff2cd9967399ebb9eadea916
Instruction Fuzzy Hash: 645144355083CADFDB25EF68C0816FE7BE4EF16310F244065E9919B6E1DA349D42DB90

Function 000BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 000BF2BB

Strings

@, xrefs: 000BF2AF

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3a3476734ab4f1a4e2e647bf463601e7ac33b54724698f4d0175ba159a73ad1e
Instruction ID: a742df884f157feb76c12f1fbaa01094e495f4f339b6cc61134248f9f098dba9
Opcode Fuzzy Hash: 3a3476734ab4f1a4e2e647bf463601e7ac33b54724698f4d0175ba159a73ad1e
Instruction Fuzzy Hash: 82512571408744AFE320AF50DC86BABBBF8FB85340F81885DF199411A6EB718569CB66

Function 00125745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001257E0
_wcslen.LIBCMT ref: 001257EC

Strings

CALLARGARRAY, xrefs: 001257E6, 001257EB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f4d1eaa1021f9b45dac2fb3cf9305906cc4a08de8563ad83bb8d0232645255f9
Instruction ID: 58bc4d9c12a61043937940ea352780f95d53a0bb1d53299795ddc73c80bd857a
Opcode Fuzzy Hash: f4d1eaa1021f9b45dac2fb3cf9305906cc4a08de8563ad83bb8d0232645255f9
Instruction Fuzzy Hash: 5E41B371E001199FCB04DFA9D8819FEBBF6FF59324F104029E505A7292D7B49D91CB90

Function 0011D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0011D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0011D13A

Strings

|, xrefs: 0011D10B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4789e23e54d14c16d4920afdeabe55c7e25ffa5bdc0406230b4946c956af4c6e
Instruction ID: bd9e987faadc7402bc5fceffa4d987f4366a18b4260cc0da74230057befbd94f
Opcode Fuzzy Hash: 4789e23e54d14c16d4920afdeabe55c7e25ffa5bdc0406230b4946c956af4c6e
Instruction Fuzzy Hash: 69312C71D00219ABCF15EFE4DC85AEEBFB9FF05300F000069F815A6162DB35AA46CB60

Function 0013356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00133621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0013365C

Strings

static, xrefs: 001335BC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 14a3244a4b327dc7111cb87987842af1940a798016dbf6476984e5e9d512e0ce
Instruction ID: ee36da140f5e07b0fa46c5c08abf0e5a2c008d590e2039c241a59ef7feac511f
Opcode Fuzzy Hash: 14a3244a4b327dc7111cb87987842af1940a798016dbf6476984e5e9d512e0ce
Instruction Fuzzy Hash: 84319CB1110204AEEB209F68DC81EFB73A9FF88760F009619F8A5D7290DB31ED91D764

Function 00134537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0013461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00134634

Strings

', xrefs: 0013458E

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8bb080e633469532f0d7c949a355278f8a1a03ecfdd5517fc41a78ad153d743c
Instruction ID: 7ef154ec3c58cb926ce21a24b1531fdb4d604b19d002ff672ac790718c8d8c01
Opcode Fuzzy Hash: 8bb080e633469532f0d7c949a355278f8a1a03ecfdd5517fc41a78ad153d743c
Instruction Fuzzy Hash: 1A31F6B5E0130AAFDB14CFA9C991BDABBB5FF49300F14406AE905AB391D770A945CF90

Function 001331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0013327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00133287

Strings

Combobox, xrefs: 00133249

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 42efa9e3a982e387a3b4c0adc980b5c62fb4a8f8acaff94b806fe4980bf629c2
Instruction ID: c655590da0ba7615fbd7ecc46680e04eb91f5b1375a32e42b2410b57b752a742
Opcode Fuzzy Hash: 42efa9e3a982e387a3b4c0adc980b5c62fb4a8f8acaff94b806fe4980bf629c2
Instruction Fuzzy Hash: D511B2713002087FEF259F94DC81EFB3B6AEB943A4F104228F92897291D7719DA18760

Function 0010EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0010EF1D

Strings

HANDLE, xrefs: 0010EF16
pF, xrefs: 0010EF1B

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$pF
API String ID: 176396367-2664653823
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: dc52b7186a27bd49a5b38e2e94182a5a9cd9f085df8c5219fe4a889a90ff4abc
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: 021126B15101169BE7189F26D889BADB3E8EF80761F60486FE080CE0C4EBF09E818B14

Function 00133710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000A604C
Part of subcall function 000A600E: GetStockObject.GDI32(00000011), ref: 000A6060
Part of subcall function 000A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A606A

GetWindowRect.USER32(00000000,?), ref: 0013377A
GetSysColor.USER32(00000012), ref: 00133794

Strings

static, xrefs: 00133757

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6c39a4e06b4639a9f07b2defa7987e5ddb396d3cddbf8684f880a34b89a3de3d
Instruction ID: 403b970787aa3f02ab765b17b422fb636cadbc2fe3873047276f409c5be6569a
Opcode Fuzzy Hash: 6c39a4e06b4639a9f07b2defa7987e5ddb396d3cddbf8684f880a34b89a3de3d
Instruction Fuzzy Hash: 9C113AB2610209AFDF01DFA8CC46EFA7BB8FB08354F014514F965E2250D735E8519B50

Function 0011CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0011CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0011CDA6

Strings

<local>, xrefs: 0011CD66

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 43f8857c161dccfa9ef650b140e7f8dd923a2b9e3df793a9ac111ca05fda31e9
Instruction ID: 3656745c30e94b8b0a8e3aadfa418ed8a4c35ce0bca08f870e45f7233ab0ae20
Opcode Fuzzy Hash: 43f8857c161dccfa9ef650b140e7f8dd923a2b9e3df793a9ac111ca05fda31e9
Instruction Fuzzy Hash: 8911C6712856317ADB3C4BA69C45EE7BE6CEF127A4F004236B50993080D7709880D6F0

Function 00133429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001334BA

Strings

edit, xrefs: 0013348F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 59c8c3f898439c5f963685bb39835a94fcb5d560d7e9775b6be2096b2f1c1eb5
Instruction ID: 862b6822250d8d3a7304843857c5e09d8c1dbd31d628ca5dcf5ec3a6aa5803ce
Opcode Fuzzy Hash: 59c8c3f898439c5f963685bb39835a94fcb5d560d7e9775b6be2096b2f1c1eb5
Instruction Fuzzy Hash: 27118C71100208AFEB228F68DC44AEB376AEB15378F514324F975A31E0C771DC919B68

Function 00106C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00106CB6
_wcslen.LIBCMT ref: 00106CC2

Strings

STOP, xrefs: 00106CBC, 00106CC1

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 5ff9e08a6c237524a445fd7ba4a017b15154bc946d2b2ef2d2b51ed69183dba0
Instruction ID: 4c619a117a305b37f16b9097e21648ad352e30f3510ec3fe4be3b91a90d200c2
Opcode Fuzzy Hash: 5ff9e08a6c237524a445fd7ba4a017b15154bc946d2b2ef2d2b51ed69183dba0
Instruction Fuzzy Hash: A2010032A005268BDB20AFFDDD819BF37A5EB61760B010528E8E2961D1EBB1D860C750

Function 00101CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 00103CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00103CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00101D4C

Strings

ListBox, xrefs: 00101D16
ComboBox, xrefs: 00101CEB

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bc19591a034e599e63026d595a39d759109996715b9c5a58791578eedab77a55
Instruction ID: ec99bbee698883b61e0207104ee997fe8174bd68c6c809c6a0be851321bf81cb
Opcode Fuzzy Hash: bc19591a034e599e63026d595a39d759109996715b9c5a58791578eedab77a55
Instruction Fuzzy Hash: 6B01B571601214BBCB08EBE4CD558FE7369EB56350B04091AF8B2672C2EF7459088760

Function 00101BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 00103CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00103CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00101C46

Strings

ListBox, xrefs: 00101C10
ComboBox, xrefs: 00101BE5

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8a9402686631f5bc834bfd4f85cf1139911909c20045134a202aa5c6bac61804
Instruction ID: dfb3f59d7af2d16dd5374e32691088ad3671f0957a03ad39fc51b050fb6f4e35
Opcode Fuzzy Hash: 8a9402686631f5bc834bfd4f85cf1139911909c20045134a202aa5c6bac61804
Instruction Fuzzy Hash: C901847578110476DB08EB90CA529FF77A99B12380F140019A456772C2EF649A5886B1

Function 00101C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 00103CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00103CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00101CC8

Strings

ListBox, xrefs: 00101C94
ComboBox, xrefs: 00101C69

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2e7d4b5fea9dc553308ce8f093f66b63b5a03051d5c8e6028b6a617a1526c290
Instruction ID: 85ccb5d6f13ab7480ad8532b337445e82717edac72eceb589e0eecd088dc3185
Opcode Fuzzy Hash: 2e7d4b5fea9dc553308ce8f093f66b63b5a03051d5c8e6028b6a617a1526c290
Instruction Fuzzy Hash: 230162B578111877EB14EBA4CB12AFE77AD9B12380F540015B842B32C2EBA5DF19C671

Function 00101D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 00103CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00103CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00101DD3

Strings

ListBox, xrefs: 00101DA0
ComboBox, xrefs: 00101D75

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 31328b6d9bc984fa188663e6cc6281e54ebcc69f9ca8ca20daf3aa89238dc9cc
Instruction ID: 9bd1ec848907df56bc74a5c90f53b31bf42a5b98c6aa97fc5264b85f15b93d99
Opcode Fuzzy Hash: 31328b6d9bc984fa188663e6cc6281e54ebcc69f9ca8ca20daf3aa89238dc9cc
Instruction Fuzzy Hash: B2F0A471B4161876DB08F7E4CD56AFE776CAB12390F440915B862A72C2DFA459088360

Function 0012747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00127493
_wcslen.LIBCMT ref: 001274B9

Strings

3, 3, 16, 1, xrefs: 00127483

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bc595d5436e79589753b19745fd5e0ba96f3486bfcfe6127143874f67e7e562d
Instruction ID: d24505ca82ac4b0441b72cfe7616eaea66e543a40604e3d4afd9088318aedcbc
Opcode Fuzzy Hash: bc595d5436e79589753b19745fd5e0ba96f3486bfcfe6127143874f67e7e562d
Instruction Fuzzy Hash: 3DE02B026042701092313379BCC1EFF5689EFC6750710182FF981C22E7EBA48DB193A0

Function 00100B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00100B23

Strings

AutoIt, xrefs: 00100B17
Error allocating memory., xrefs: 00100B1C

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: fc8d52f3d71c7e916e67b642402b7f6ad9a0ba609463b56c86c4d1ccaea49b83
Instruction ID: eae2e3921d14461e8e33c94f4230738638ef671e67703422b8c66170176ad3fa
Opcode Fuzzy Hash: fc8d52f3d71c7e916e67b642402b7f6ad9a0ba609463b56c86c4d1ccaea49b83
Instruction Fuzzy Hash: 36E04F322883192AD21437947C03FD97A859F09B65F10046AFB98B65C38BE265A047E9

Function 000C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000C0D71,?,?,?,000A100A), ref: 000BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,000A100A), ref: 000C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000A100A), ref: 000C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000C0D7F

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 090ee622f9ef864d952555456e984239c31cd205ffce3c075e83effad886a158
Instruction ID: cf4af9d08d4c0bc8988d47ac5308dfbba841d8674f4cebe838746afb52ef96f8
Opcode Fuzzy Hash: 090ee622f9ef864d952555456e984239c31cd205ffce3c075e83effad886a158
Instruction Fuzzy Hash: 2DE06D742003118BD3609FB8D808B967BE0AB00740F00896DE886D6A52DBB5E484CBD1

Function 00113017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0011302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00113044

Strings

aut, xrefs: 00113038

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 60f5760d66ed16012fc54b45aff3cb1cbde0d5987059bdd994fd6166c36f4a4c
Instruction ID: 9ae115f6ebe7df50752eaeca604e2103dafb71895f3855995a6e6014de80770e
Opcode Fuzzy Hash: 60f5760d66ed16012fc54b45aff3cb1cbde0d5987059bdd994fd6166c36f4a4c
Instruction Fuzzy Hash: 3CD05E7250032867DA20A7A4AC0EFCB7A7CDB04750F0002A1BA55F2091DAB09984CBD0

Function 00132322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0013232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0013233F

Part of subcall function 0010E97B: Sleep.KERNEL32 ref: 0010E9F3

Strings

Shell_TrayWnd, xrefs: 00132325

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a56a2657628c3061e36ee2f4b2d1011a16eff2ebdd95581d5466eaec8d72f037
Instruction ID: 9f9f49eb1c68f66a2dc600dc0ce30be190d203d9e9a4c5406b520c97ebb99fc1
Opcode Fuzzy Hash: a56a2657628c3061e36ee2f4b2d1011a16eff2ebdd95581d5466eaec8d72f037
Instruction Fuzzy Hash: BBD012763D4310B7E664B771DC0FFC67A54AB10B14F0049167789BA1D0CAF0A841CB94

Function 00132356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0013236C
PostMessageW.USER32(00000000), ref: 00132373

Part of subcall function 0010E97B: Sleep.KERNEL32 ref: 0010E9F3

Strings

Shell_TrayWnd, xrefs: 00132365

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fadaafdd9d9648fa53414047f509e7b42d692674a82a8971005581b54c84ba35
Instruction ID: 2df60e494087126f8f1d2c6840cc57a935052f6a60dd027182310e551fe48da0
Opcode Fuzzy Hash: fadaafdd9d9648fa53414047f509e7b42d692674a82a8971005581b54c84ba35
Instruction Fuzzy Hash: 23D0C9723C13107AE664A7719C0FFC67654AB15B14F0049167685BA1D0CAE0A8418B94

Function 000DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 000DBE93
GetLastError.KERNEL32 ref: 000DBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000DBEFC

Memory Dump Source

Source File: 00000000.00000002.2344591544.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2344544334.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344678195.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344765582.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344797753.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 72e7a1c33e19e95786655de4c9e37d189a2d345aec9af525aa78990c3dc291e1
Instruction ID: 24c7ae8e8541f00a6634ddeceb3dcc98567c85a4e3455f691fd53b6e4ebcd096
Opcode Fuzzy Hash: 72e7a1c33e19e95786655de4c9e37d189a2d345aec9af525aa78990c3dc291e1
Instruction Fuzzy Hash: 0D41C035604346EBCB318F65CC44ABE7BE5AF41320F16416AF9599B3A1DB308D00DB71

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2381668737.00000162B521B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2405809981.00000162B521B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2467006394.00000162C0C1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2510879135.00000162C0C15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2467006394.00000162C0C1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2463937903.00000162B61D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2466959458.00000162C0CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2468172717.00000162BD3BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2463937903.00000162B61D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2466959458.00000162C0CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2507508521.00000162B67C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2467006394.00000162C0C1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2524662563.00000162B678E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2493728621.00000162BD552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2493728621.00000162BD552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2467006394.00000162C0C1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2463937903.00000162B61D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2466959458.00000162C0CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2468172717.00000162BD3BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2463937903.00000162B61D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2466959458.00000162C0CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2457836923.00000162B7640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2514251021.00000162B7640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2500474524.00000162B7640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2457836923.00000162B7640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2514251021.00000162B7640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2500474524.00000162B7640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2457836923.00000162B7640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2514251021.00000162B7640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2500474524.00000162B7640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2507508521.00000162B67C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2467006394.00000162C0C1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2524662563.00000162B678E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2467006394.00000162C0C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2507508521.00000162B67AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2524662563.00000162B678E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2507508521.00000162B678E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: file.exe	Virustotal: Detection: 23%			Perma Link
Source: file.exe	ReversingLabs: Detection: 28%

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.6:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49920 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_86d3d877-35d6-4999-9461-8958b432b14f.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_86d3d877-35d6-4999-9461-8958b432b14f.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre