Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574458
MD5:	9b55afc1ca0156a623d6c797cf48ea06
SHA1:	4ba883db2fc00f0ef478ba431904c67b9660a03b
SHA256:	835b3cbdb1fd7a062e79fe9146a6b46aa1fb12d8f408fef57672109f64b1acbe
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6548 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9B55AFC1CA0156A623D6C797CF48EA06)

taskkill.exe (PID: 1412 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3176 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 652 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5884 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1868 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1412 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 408 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4676 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 528 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2176 -parentBuildID 20230927232528 -prefsHandle 2084 -prefMapHandle 2076 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {673b1df6-0c4b-4256-9078-09fbf41f71ab} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b24146e110 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7720 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4336 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 4116 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a7fa0f8-03b6-45d3-a9d9-1cefb0e1c3a3} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b24147d210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7504 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=884 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 948 -prefMapHandle 944 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8de80ac3-24d6-4ca4-bcf4-f7144e6d958c} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b252a96110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6548	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00BDEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00BDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BDED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00BDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00BCAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BF9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2079472874.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ccd912b0-4
Source: file.exe, 00000000.00000000.2079472874.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_88573171-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_318d97d5-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_096c24bb-0

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026A785F53B7 NtQuerySystemInformation,		17_2_0000026A785F53B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026A787134B2 NtQuerySystemInformation,		17_2_0000026A787134B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00BCD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BCE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B68060	0_2_00B68060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD2046	0_2_00BD2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8298	0_2_00BC8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9E4FF	0_2_00B9E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9676B	0_2_00B9676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4873	0_2_00BF4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8CAA0	0_2_00B8CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6CAF0	0_2_00B6CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7CC39	0_2_00B7CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96DD9	0_2_00B96DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B691C0	0_2_00B691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7B119	0_2_00B7B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81394	0_2_00B81394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81706	0_2_00B81706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8781B	0_2_00B8781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B819B0	0_2_00B819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B67920	0_2_00B67920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7997D	0_2_00B7997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87A4A	0_2_00B87A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87CA7	0_2_00B87CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81C77	0_2_00B81C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B99EEE	0_2_00B99EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEBE44	0_2_00BEBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81F32	0_2_00B81F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026A785F53B7	17_2_0000026A785F53B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026A787134B2	17_2_0000026A787134B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026A78713BDC	17_2_0000026A78713BDC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026A787134F2	17_2_0000026A787134F2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B69CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B80A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B7F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD37B5 GetLastError,FormatMessageW,

0_2_00BD37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC10BF AdjustTokenPrivileges,CloseHandle,		0_2_00BC10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BC16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00BD51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BCD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00BD648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B642A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Mozilla Firefox\firefox.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2331707295.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308985866.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2176 -parentBuildID 20230927232528 -prefsHandle 2084 -prefMapHandle 2076 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {673b1df6-0c4b-4256-9078-09fbf41f71ab} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b24146e110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4336 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 4116 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a7fa0f8-03b6-45d3-a9d9-1cefb0e1c3a3} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b24147d210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=884 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 948 -prefMapHandle 944 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8de80ac3-24d6-4ca4-bcf4-f7144e6d958c} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b252a96110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2176 -parentBuildID 20230927232528 -prefsHandle 2084 -prefMapHandle 2076 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {673b1df6-0c4b-4256-9078-09fbf41f71ab} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b24146e110 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4336 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 4116 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a7fa0f8-03b6-45d3-a9d9-1cefb0e1c3a3} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b24147d210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=884 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 948 -prefMapHandle 944 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8de80ac3-24d6-4ca4-bcf4-f7144e6d958c} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b252a96110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2321620771.000001B255A01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2321620771.000001B255A01000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80A76 push ecx; ret

0_2_00B80A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B7F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BF1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97528

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000026A785F53B7 rdtsc

17_2_0000026A785F53B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BCDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C2A2 FindFirstFileExW,	0_2_00B9C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD68EE FindFirstFileW,FindClose,	0_2_00BD68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00BD698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BCD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BCD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BD9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BD979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00BD9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00BD5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: firefox.exe, 00000010.00000002.3350793611.000001D55A340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<$
Source: firefox.exe, 00000010.00000002.3350793611.000001D55A340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?-
Source: firefox.exe, 00000010.00000002.3350793611.000001D55A340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW."
Source: file.exe, 00000000.00000003.2170883856.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169674164.0000000001622000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169100527.000000000161D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3344909195.000001D5599D7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3344909195.000001D5599AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3343926105.0000026A77D4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3348484032.0000026A78470000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3348775957.00000297A3300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3350032736.000001D559F1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3348484032.0000026A78470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: firefox.exe, 00000010.00000002.3350793611.000001D55A340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS'
Source: firefox.exe, 00000013.00000002.3344793616.00000297A2F1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@E0
Source: firefox.exe, 00000010.00000002.3350793611.000001D55A340000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3348484032.0000026A78470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000026A785F53B7 rdtsc

17_2_0000026A785F53B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDEAA2 BlockInput,

0_2_00BDEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B92622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B84CE8 mov eax, dword ptr fs:[00000030h]

0_2_00B84CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00BC0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B92622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B8083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B809D5 SetUnhandledExceptionFilter,	0_2_00B809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B80C21

Source: C:\Users\user\Desktop\file.exe

0_2_00BC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BA2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BA2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCB226 SendInput,keybd_event,

0_2_00BCB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00BE22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00BC0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BC1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2349782266.000001B255A01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80698 cpuid

0_2_00B80698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BBD21C GetLocalTime,

0_2_00BBD21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BBD27A GetUserNameW,

0_2_00BBD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B9B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00B9B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6548, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6548, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00BE1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00BE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://login.li	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
dualstack.reddit.map.fastly.net	151.101.129.140	true	false	high
youtube-ui.l.google.com	216.58.208.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000013.00000002.3345853830.00000297A32C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2335931808.000001B254DCD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2305778968.000001B24D2B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2274604853.000001B25954B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265938050.000001B25954B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3346514166.000001D559DC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3345245284.0000026A77FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3349017624.00000297A3403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3346514166.000001D559D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3345245284.0000026A77F86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3345853830.00000297A328F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2186225124.000001B25AB53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2330957818.000001B25AB53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327777876.000001B25AB50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2170049219.000001B2599F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186484159.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311788583.000001B2599F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342182660.000001B2599F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314083733.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177876678.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2324616784.000001B25966A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314203914.000001B25997F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2309973410.000001B25A6C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2322598990.000001B25A6C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341762381.000001B25A6CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2143946160.000001B25161D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144852053.000001B25166F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2143799009.000001B251400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144714460.000001B251653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144104129.000001B251638000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144976937.000001B25168A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2181204840.000001B251DC3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2308985866.000001B25AAA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373400088.000001B25AAA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313614672.000001B25AAA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2143946160.000001B25161D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290340751.000001B252C6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346553356.000001B252BA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144852053.000001B25166F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2143799009.000001B251400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144714460.000001B251653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144104129.000001B251638000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144976937.000001B25168A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000E.00000003.2336152698.000001B254DA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2143946160.000001B25161D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144852053.000001B25166F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2143799009.000001B251400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144714460.000001B251653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144104129.000001B251638000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000E.00000003.2312669115.000001B25B37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340330160.000001B253AEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180116930.000001B253AEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2332811991.000001B259918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2186225124.000001B25AB53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2330957818.000001B25AB53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327777876.000001B25AB50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2327940850.000001B25AA0D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://login.li	firefox.exe, 0000000E.00000003.2387174055.000001B251EF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271322705.000001B251EF7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2311788583.000001B2599E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2170049219.000001B2599E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187896001.000001B252950000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171507101.000001B252950000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342182660.000001B2599E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186484159.000001B2599E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2309800858.000001B25A6E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335931808.000001B254DF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3345245284.0000026A77F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3345853830.00000297A320C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2249464200.000001B25281E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245017640.000001B252834000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2186594977.000001B25994C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2328228490.000001B25994C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332335997.000001B25994C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2170049219.000001B2599F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186484159.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311788583.000001B2599F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342182660.000001B2599F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314083733.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177876678.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2309347448.000001B25AA06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331905457.000001B25AA28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327940850.000001B25AA0D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000013.00000002.3345853830.00000297A32C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2329376301.000001B254ED9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2245017640.000001B252825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249431697.000001B25283A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2204929048.000001B252C74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2362301022.000001B25AE86000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2335931808.000001B254DCD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2330436408.000001B25AE1A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3346514166.000001D559DC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3345245284.0000026A77FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3349017624.00000297A3403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3346514166.000001D559DC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3345245284.0000026A77FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3349017624.00000297A3403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://spocs.getpocket.com/	firefox.exe, 00000013.00000002.3345853830.00000297A3213000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2170049219.000001B2599F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186484159.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311788583.000001B2599F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342182660.000001B2599F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314083733.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177876678.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000013.00000002.3345419372.00000297A31E0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2275771434.000001B252063000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155605926.000001B2527C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303151624.000001B24E4FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290340751.000001B252C6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300593805.000001B24E4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387046636.000001B251F90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214508765.000001B2528C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196791739.000001B252C4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256126112.000001B251AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195561537.000001B252C91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382654361.000001B2527D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295207128.000001B2527C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315330995.000001B259470000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265938050.000001B259538000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249883023.000001B2527F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344528219.000001B253EA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340330160.000001B253AE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204929048.000001B252C74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211101172.000001B25206D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203862645.000001B252C69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204667626.000001B252CCA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2336152698.000001B254DA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2336152698.000001B254DA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false		high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2326003552.000001B25949A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2336808720.000001B254BE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187184360.000001B2594CE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2336808720.000001B254BE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187184360.000001B2594CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2274604853.000001B25954B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265938050.000001B25954B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2170323432.000001B259982000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311972361.000001B259992000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186594977.000001B25998D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324494304.000001B259995000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177983999.000001B259991000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2187896001.000001B25297A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2300593805.000001B24E455000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299806788.000001B24E455000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2249431697.000001B25283A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2310511345.000001B25A653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323315225.000001B25A653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341933106.000001B25A653000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2336111466.000001B254DB5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2249464200.000001B25281E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246784226.000001B252843000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249679503.000001B25282A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249609660.000001B252845000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245017640.000001B252834000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2300593805.000001B24E455000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299806788.000001B24E455000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2309347448.000001B25AA06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331905457.000001B25AA28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327940850.000001B25AA0D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2187184360.000001B2594C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2170049219.000001B2599F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186484159.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311788583.000001B2599F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342182660.000001B2599F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314083733.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177876678.000001B2599F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2381237033.000001B252A60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2144104129.000001B251638000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2171507101.000001B252981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144714460.000001B251653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144104129.000001B251638000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381237033.000001B252A60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144976937.000001B25168A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2186225124.000001B25AB53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2330957818.000001B25AB53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327777876.000001B25AB50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3346085071.000001D559B50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3348721008.0000026A78570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3345104401.00000297A2F50000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.wykop.pl/	firefox.exe, 0000000E.00000003.2187896001.000001B252950000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171507101.000001B252950000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574458
Start date and time:	2024-12-13 10:47:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.213.181.160, 35.85.93.176, 44.228.225.150, 142.250.181.142, 88.221.134.155, 88.221.134.209, 142.250.181.138, 142.250.181.106, 23.218.208.109, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, aus5.mozilla.org, detectportal.prod.mozaws.net, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 4676 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
04:48:26	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	zpbiw0htk6.lnk	Get hash	malicious	Unknown	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	151.101.66.137
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse	151.101.0.223
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	secure.htm	Get hash	malicious	HTMLPhisher	Browse	185.199.110.153
	archive.htm	Get hash	malicious	HTMLPhisher	Browse	185.199.111.153
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	185.199.108.153
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_92fa9b10-8efb-4405-913b-cd3de413bd9c.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179300943295724
Encrypted:	false
SSDEEP:	192:BKMX1BCcbhbVbTbfbRbObtbyEl7nQrJJA6wnSrDtTkd/SGu:BP2cNhnzFSJwrkjnSrDhkd/Hu
MD5:	C048BFAA8E4C19185182E32AE08CA718
SHA1:	CAADCBAA95147020A9EB9D843B62B0689B21DC3C
SHA-256:	6A77950432547DFE58A2E11B03E11C5A9E3049E479DB1CD14247648B23283E7C
SHA-512:	EA2DD09E98708007379DE0AB3DE1F39A34A08C0244E39197F10C4AF065A623C51CDC7F2A4EC2FE815E7B5A39563565758F8D2084D13F5972D92354B8A60D8F8C
Malicious:	false
Preview:	{"type":"uninstall","id":"92fa9b10-8efb-4405-913b-cd3de413bd9c","creationDate":"2024-12-13T11:02:16.035Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_92fa9b10-8efb-4405-913b-cd3de413bd9c.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179300943295724
Encrypted:	false
SSDEEP:	192:BKMX1BCcbhbVbTbfbRbObtbyEl7nQrJJA6wnSrDtTkd/SGu:BP2cNhnzFSJwrkjnSrDhkd/Hu
MD5:	C048BFAA8E4C19185182E32AE08CA718
SHA1:	CAADCBAA95147020A9EB9D843B62B0689B21DC3C
SHA-256:	6A77950432547DFE58A2E11B03E11C5A9E3049E479DB1CD14247648B23283E7C
SHA-512:	EA2DD09E98708007379DE0AB3DE1F39A34A08C0244E39197F10C4AF065A623C51CDC7F2A4EC2FE815E7B5A39563565758F8D2084D13F5972D92354B8A60D8F8C
Malicious:	false
Preview:	{"type":"uninstall","id":"92fa9b10-8efb-4405-913b-cd3de413bd9c","creationDate":"2024-12-13T11:02:16.035Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92319578710181
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNlQ49AxE:8S+OVPUFRbOdwNIOdYpjvY1Q6L4Q4y8P
MD5:	CE28C6AC0BCD63E18028DEEC2CB9C998
SHA1:	E873109D8399535E03EF70AD0A5D4D8B015B2BDB
SHA-256:	F2F34AD6754FF6F70F6C38A4038D4EA0CE7756857632899EE7C8C5BAB38B2283
SHA-512:	19B3B0DD2CF3D073DFBA96AEE7A01974D6BF3A8362EDBD3DC652D997E4D37B44089C4A8D27FB35B80AE80AA2AF48E68553A26430A3D23AB1ECB004A6F6C6F5A0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92319578710181
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNlQ49AxE:8S+OVPUFRbOdwNIOdYpjvY1Q6L4Q4y8P
MD5:	CE28C6AC0BCD63E18028DEEC2CB9C998
SHA1:	E873109D8399535E03EF70AD0A5D4D8B015B2BDB
SHA-256:	F2F34AD6754FF6F70F6C38A4038D4EA0CE7756857632899EE7C8C5BAB38B2283
SHA-512:	19B3B0DD2CF3D073DFBA96AEE7A01974D6BF3A8362EDBD3DC652D997E4D37B44089C4A8D27FB35B80AE80AA2AF48E68553A26430A3D23AB1ECB004A6F6C6F5A0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07332591664048393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkia:DLhesh7Owd4+jia
MD5:	44D1D3DB222F4D22C38C829C8F1FC99A
SHA1:	A0E0144A65D52D481EE89CE9B3BE256120045DD8
SHA-256:	D60A2AA1DB70983C33A69CFFD96F607CE8F652DF2B24BD0B330A36D7A64DC245
SHA-512:	117CC9018965CFF16AEF12951C89F4983F34A3E6A274DE3B95D6F506F1FFBC8C23A645459BC8803550364C5182F6C6722F3DA465436EA9AC3067522E25645DD7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFC1++p+Y4NlYlstFC1++p+Y4N///T89//alEl:GtWtAzR4NyWtAzR4NXL89XuM
MD5:	8389077835FE2D0DC4186B9AD215476E
SHA1:	A6AE028FDE53BCE6A9767E6DC1982454005750A4
SHA-256:	88B80576DDE36576AC7D0E5C9FD4D60E6B26AC68D9DE547509DC203E7AB70150
SHA-512:	896F60B6ABFF82518C73D566BF09B74F53C97C5A9C279E7177AC7DDEC3DA3EBB1A3349D3EE99B254A31A3B9DA844F6D95FE9F96B0AFDA12C753498EE2B92551F
Malicious:	false
Preview:	..-..........................v..`.1..>......[..(..-..........................v..`.1..>......[..(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039609513226141695
Encrypted:	false
SSDEEP:	3:Ol1LC0yv/olNFAdH/93wl8rEXsxdwhml8XW3R2:KnyH4Xk9Al8dMhm93w
MD5:	DA6FCFB44FB14504F50A0D9B70476B5D
SHA1:	FE31E65CD31EF24E26284CC172AF605E0C2AEC9E
SHA-256:	CB7CA35FB3D004A8DD9AAD48BE31B537DAE622AA13B3D2E8BE56473BD2DEC006
SHA-512:	C86A6919AF54B67522A978AF88A1EE0AF6003200FE33C8272E699DCB0A62CCDD4B572ACAD8851C0BE3832CE4BF4FAC756047041ECBEAEDC33BA6309E5BB1C38A
Malicious:	false
Preview:	7....-..........`.1..>.....s.W..........`.1..>........v.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477218109354711
Encrypted:	false
SSDEEP:	192:EnPOeRnLYbBp6aJ0aX+C6SEXKGDN7Y95RHWNBw8dCSl:mDeTJU5jZ7QHEwR0
MD5:	AD34F60F7E083A331F6FA6D77F10C1E2
SHA1:	2DE536E5322B8034D53B320BFD6B233DDECFAE0E
SHA-256:	DDBAE7EDE0804ED047D7C4AFAE07582B983E2994E71CEAB5830FC9E81563EA47
SHA-512:	CF9E6601D1555E4C4691A324D6B9243A20AA283CDD9F943A900AAFDF9C9EF58CCBBD9232BB624477955E675F5BCF827930F6EC11C7F22876EC477C31B1844424
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734087706);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734087706);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734087706);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477218109354711
Encrypted:	false
SSDEEP:	192:EnPOeRnLYbBp6aJ0aX+C6SEXKGDN7Y95RHWNBw8dCSl:mDeTJU5jZ7QHEwR0
MD5:	AD34F60F7E083A331F6FA6D77F10C1E2
SHA1:	2DE536E5322B8034D53B320BFD6B233DDECFAE0E
SHA-256:	DDBAE7EDE0804ED047D7C4AFAE07582B983E2994E71CEAB5830FC9E81563EA47
SHA-512:	CF9E6601D1555E4C4691A324D6B9243A20AA283CDD9F943A900AAFDF9C9EF58CCBBD9232BB624477955E675F5BCF827930F6EC11C7F22876EC477C31B1844424
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734087706);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734087706);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734087706);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.341503653462876
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSLWLXnIrQtt/pnxQwRcWT5sKmgb0rU3eHVpjO+h8amhujJwO2c0Tiv:GUpOxGWDXnRcoegAU3erjxC4Jwc3zBtT
MD5:	52DEEF47A3A8DD8F167C3782D058AA1B
SHA1:	19C92F2F252F0446BAACE5F7EDE193DC598E1F9F
SHA-256:	88A6E56A24276C9F3260539B3003F57EE266F06C14FB5CCC76F5A1CB02B948FB
SHA-512:	2ADFD00721CB0182B6D7FB9AC82F58C4DFB2ACF95CDD7B2AA8B9E728DE95D09802E3DE511BBA27689DEC4E4D03857196C26467328C8FEDF948E38C259D1B5A4B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{28267b81-5df0-4440-be3d-1f14d4b7d049}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734087710898,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..`675904...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....685789,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.341503653462876
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSLWLXnIrQtt/pnxQwRcWT5sKmgb0rU3eHVpjO+h8amhujJwO2c0Tiv:GUpOxGWDXnRcoegAU3erjxC4Jwc3zBtT
MD5:	52DEEF47A3A8DD8F167C3782D058AA1B
SHA1:	19C92F2F252F0446BAACE5F7EDE193DC598E1F9F
SHA-256:	88A6E56A24276C9F3260539B3003F57EE266F06C14FB5CCC76F5A1CB02B948FB
SHA-512:	2ADFD00721CB0182B6D7FB9AC82F58C4DFB2ACF95CDD7B2AA8B9E728DE95D09802E3DE511BBA27689DEC4E4D03857196C26467328C8FEDF948E38C259D1B5A4B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{28267b81-5df0-4440-be3d-1f14d4b7d049}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734087710898,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..`675904...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....685789,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.341503653462876
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSLWLXnIrQtt/pnxQwRcWT5sKmgb0rU3eHVpjO+h8amhujJwO2c0Tiv:GUpOxGWDXnRcoegAU3erjxC4Jwc3zBtT
MD5:	52DEEF47A3A8DD8F167C3782D058AA1B
SHA1:	19C92F2F252F0446BAACE5F7EDE193DC598E1F9F
SHA-256:	88A6E56A24276C9F3260539B3003F57EE266F06C14FB5CCC76F5A1CB02B948FB
SHA-512:	2ADFD00721CB0182B6D7FB9AC82F58C4DFB2ACF95CDD7B2AA8B9E728DE95D09802E3DE511BBA27689DEC4E4D03857196C26467328C8FEDF948E38C259D1B5A4B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{28267b81-5df0-4440-be3d-1f14d4b7d049}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734087710898,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..`675904...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....685789,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028468181643987
Encrypted:	false
SSDEEP:	96:ycNbMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:7YTEr5NX0z3DhRe
MD5:	F90259ACE13D906636AB7C451D372619
SHA1:	3361F5153F3652DEA27DBD1F383A6A8E4D47D65F
SHA-256:	0253839DB0787722E5FE2A570F675ABB1D00483B7753FC5B1150FE01DF942A7D
SHA-512:	A7BEE7C4297DC71FF6B2256AAB86FE8858E162884F2017CAA22B67DB12B71491E0288294893AE28B3834E2C9747FBD964434CCCFA37C241E9642E9BCEF15DADB
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T11:01:33.341Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028468181643987
Encrypted:	false
SSDEEP:	96:ycNbMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:7YTEr5NX0z3DhRe
MD5:	F90259ACE13D906636AB7C451D372619
SHA1:	3361F5153F3652DEA27DBD1F383A6A8E4D47D65F
SHA-256:	0253839DB0787722E5FE2A570F675ABB1D00483B7753FC5B1150FE01DF942A7D
SHA-512:	A7BEE7C4297DC71FF6B2256AAB86FE8858E162884F2017CAA22B67DB12B71491E0288294893AE28B3834E2C9747FBD964434CCCFA37C241E9642E9BCEF15DADB
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T11:01:33.341Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.694619276363792
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	966'656 bytes
MD5:	9b55afc1ca0156a623d6c797cf48ea06
SHA1:	4ba883db2fc00f0ef478ba431904c67b9660a03b
SHA256:	835b3cbdb1fd7a062e79fe9146a6b46aa1fb12d8f408fef57672109f64b1acbe
SHA512:	6b25760b075f8425abdadb054eab3c33a60e573bc57048bc9bde426bb2513f50fe20697770194539a237af10a6929f8abcd5b6150e78f1c77e1da60d8033069c
SSDEEP:	12288:iqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaZlfwq:iqDEvCTbMWu7rQYlBQcBiT6rprG8a7/
TLSH:	6C259E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81DB9BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BFF29 [Fri Dec 13 09:32:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB9F0EF6763h
jmp 00007FB9F0EF606Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB9F0EF624Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB9F0EF621Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB9F0EF8E0Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB9F0EF8E58h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB9F0EF8E41h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x154c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x154c4	0x15600	deda9cb99c0950c85c327f7513382747	False	0.688733552631579	data	7.123905023226813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xc646	data			1.000512234524607
RT_GROUP_ICON	0xe8f44	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe8fbc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe8fd0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe8fe4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe8ff8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe90d4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 10:48:18.854324102 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:18.854365110 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:18.854819059 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:18.859518051 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:18.859551907 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:19.563106060 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:19.563158035 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:19.563216925 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:19.563559055 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:19.563606024 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:19.563654900 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:19.565078974 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:19.565097094 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:19.566612005 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:19.566627026 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:19.829344988 CET	49713	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:19.829391956 CET	443	49713	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:19.829793930 CET	49713	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:19.831206083 CET	49713	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:19.831227064 CET	443	49713	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:20.077848911 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:20.078278065 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:20.638886929 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:20.638977051 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:20.639024019 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:20.639122009 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:20.639282942 CET	49717	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:20.644615889 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:20.644642115 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:20.644778013 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:20.644990921 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:20.646626949 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:20.646774054 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:20.648350954 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:20.759083986 CET	80	49717	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:20.759166956 CET	49717	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:21.061522961 CET	443	49713	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:21.063045979 CET	49713	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:21.125876904 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:21.125931978 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:21.126091003 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:21.126097918 CET	49717	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:21.126142025 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:21.130605936 CET	49713	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:21.130620956 CET	443	49713	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:21.130693913 CET	49713	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:21.130865097 CET	443	49713	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:21.132023096 CET	49713	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:21.256911039 CET	80	49717	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:21.267417908 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.267563105 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.268419981 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.268814087 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.271246910 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.271513939 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.272006989 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.272916079 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.273329973 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.273339033 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.273627996 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.273657084 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.273663998 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.275475979 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:21.275511980 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:21.276525021 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:21.276751995 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:21.276768923 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:21.276937008 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.276942968 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.276981115 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.277107954 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.277271986 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.479413986 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:48:21.479518890 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:48:21.847413063 CET	80	49717	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:21.883435965 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:21.884001017 CET	49717	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:22.003251076 CET	80	49719	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:22.003602982 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:22.003603935 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:22.003848076 CET	80	49717	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:22.123934031 CET	80	49719	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:22.199047089 CET	80	49717	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:22.250899076 CET	49717	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:22.318938971 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:22.352551937 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:22.352570057 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:22.360340118 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:22.361912966 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:22.361931086 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:22.363663912 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:22.363692045 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:22.364104986 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:22.365983009 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:22.366070986 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:22.366163015 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:22.369733095 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:22.369772911 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:22.369771957 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:22.374305010 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:22.374320984 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:22.374423981 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:22.374572039 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:22.374689102 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:22.482810974 CET	80	49719	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:22.492016077 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:22.498814106 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:22.502968073 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:22.502974987 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:22.503238916 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:22.506514072 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:22.506664038 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:22.506711960 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:22.506720066 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:22.507153034 CET	49721	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:22.507195950 CET	443	49721	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:22.507379055 CET	49721	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:22.507611036 CET	49721	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:22.507631063 CET	443	49721	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:22.711338043 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:22.724519014 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:22.898607969 CET	80	49719	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:22.906929970 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.521709919 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.523966074 CET	49717	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.541021109 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:23.541069984 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:23.545743942 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:23.547910929 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:23.547955990 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:23.641691923 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:23.643374920 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.643518925 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.644265890 CET	80	49717	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:23.644330978 CET	49717	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.704231977 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.719069004 CET	443	49721	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:23.719142914 CET	49721	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:23.721947908 CET	49721	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:23.721961975 CET	443	49721	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:23.722486973 CET	443	49721	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:23.724313974 CET	49721	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:23.724400997 CET	49721	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:23.724510908 CET	443	49721	34.160.144.191	192.168.2.5
Dec 13, 2024 10:48:23.724572897 CET	49721	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:48:23.763221979 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:23.823942900 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:23.824038029 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.824228048 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:23.943922043 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:24.730338097 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:24.768055916 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:24.768131018 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:24.772466898 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:24.772479057 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:24.772655964 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:24.772728920 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:24.773000956 CET	49726	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:24.773037910 CET	443	49726	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:24.776849031 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:24.776892900 CET	49726	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:24.778458118 CET	49726	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:24.778471947 CET	443	49726	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:24.786901951 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:24.911164045 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:24.965296984 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:26.001405954 CET	443	49726	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:26.001492023 CET	49726	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:26.006913900 CET	49726	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:26.006928921 CET	443	49726	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:26.007091045 CET	49726	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:26.007122993 CET	443	49726	34.117.188.166	192.168.2.5
Dec 13, 2024 10:48:26.007205963 CET	49726	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:48:27.059218884 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:27.059611082 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:27.179058075 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:27.179397106 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:27.375274897 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:27.375395060 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:27.429132938 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:27.429231882 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:27.845453024 CET	49731	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:27.845505953 CET	443	49731	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:27.846402884 CET	49731	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:27.846446991 CET	49731	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:27.846455097 CET	443	49731	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:29.059484005 CET	443	49731	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:29.059598923 CET	49731	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:29.063431978 CET	49731	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:29.063445091 CET	443	49731	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:29.063651085 CET	443	49731	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:29.067482948 CET	49731	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:29.067579985 CET	49731	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:29.067608118 CET	443	49731	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:29.067751884 CET	49731	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:32.334120035 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:32.386208057 CET	49744	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:32.386275053 CET	443	49744	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:32.386698008 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:32.387746096 CET	49744	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:32.389503002 CET	49744	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:32.389519930 CET	443	49744	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:32.453897953 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:32.464270115 CET	49745	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:32.464297056 CET	443	49745	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:32.468828917 CET	49745	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:32.470515013 CET	49745	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:32.470525980 CET	443	49745	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:32.506640911 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:32.648875952 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:32.690907001 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:32.701461077 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:32.727757931 CET	49746	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:32.727801085 CET	443	49746	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:32.728133917 CET	49746	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:32.729798079 CET	49746	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:32.729813099 CET	443	49746	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:32.744282007 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:32.852421999 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:32.972245932 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:33.179244041 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:33.230155945 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:33.607264042 CET	443	49744	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:33.607500076 CET	49744	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:33.612147093 CET	49744	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:33.612160921 CET	443	49744	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:33.612298012 CET	49744	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:33.612390995 CET	443	49744	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:33.615942001 CET	49744	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:33.692742109 CET	443	49745	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:33.692862988 CET	49745	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:33.945204020 CET	443	49746	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:33.945363045 CET	49746	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:34.131715059 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:34.135719061 CET	49745	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:34.135749102 CET	443	49745	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:34.135812998 CET	49745	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:34.136162996 CET	443	49745	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:34.138422012 CET	49745	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:34.251872063 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:34.446752071 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:34.477528095 CET	49746	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:34.477545977 CET	443	49746	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:34.477797985 CET	49746	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:34.477861881 CET	443	49746	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:34.478012085 CET	49752	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:34.478077888 CET	443	49752	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:34.480561972 CET	49746	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:34.480590105 CET	49752	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:34.482779980 CET	49752	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:34.482798100 CET	443	49752	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:34.496156931 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:34.620985031 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:34.740801096 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:34.776936054 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:34.776983976 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:34.777462006 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:34.778938055 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:34.778959036 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:34.935532093 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:34.981971979 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:35.694715977 CET	443	49752	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:35.694797039 CET	49752	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:35.990098953 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:35.990221977 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:36.996356010 CET	49752	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:36.996392012 CET	443	49752	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:36.996437073 CET	49752	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:36.996603966 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:36.996639013 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:36.996653080 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:36.996756077 CET	443	49752	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:36.996819973 CET	49752	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:36.996864080 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:36.996922970 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.617682934 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:37.736433983 CET	49764	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.736495972 CET	443	49764	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:37.737663031 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:37.748120070 CET	49764	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.750473022 CET	49764	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.750488997 CET	443	49764	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:37.761329889 CET	49765	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:37.761374950 CET	443	49765	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:37.761457920 CET	49765	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:37.762794018 CET	49765	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:37.762808084 CET	443	49765	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:37.877201080 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.877300978 CET	443	49766	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:37.877337933 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.877378941 CET	443	49767	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:37.877401114 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.877536058 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.877557993 CET	443	49766	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:37.877733946 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.877851963 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:37.877861977 CET	443	49767	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:37.932008982 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:37.935406923 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:37.979636908 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:38.055205107 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:38.250212908 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:38.296185970 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:38.633968115 CET	49768	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:38.634016991 CET	443	49768	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:38.634464025 CET	49768	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:38.635900974 CET	49768	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:38.635950089 CET	443	49768	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:38.964229107 CET	443	49764	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.964246988 CET	443	49764	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.964462996 CET	49764	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.968414068 CET	49764	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.968445063 CET	443	49764	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.968545914 CET	49764	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.968669891 CET	443	49764	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.969778061 CET	49764	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.971426010 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:38.972755909 CET	443	49765	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:38.973150969 CET	49765	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:38.976721048 CET	49765	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:38.976728916 CET	443	49765	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:38.976799011 CET	49765	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:38.976916075 CET	443	49765	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:38.977456093 CET	49765	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:38.984958887 CET	49769	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.985002995 CET	443	49769	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.985393047 CET	49769	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.985539913 CET	49769	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.985548019 CET	443	49769	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.988763094 CET	49770	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.988800049 CET	443	49770	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.989367008 CET	49770	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.989480972 CET	49770	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.989490032 CET	443	49770	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.994282007 CET	49771	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.994316101 CET	443	49771	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:38.994513988 CET	49771	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.995836973 CET	49771	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:38.995867014 CET	443	49771	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.091332912 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:39.094235897 CET	443	49766	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.094346046 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.095256090 CET	443	49767	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.095333099 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.097712994 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.097743988 CET	443	49766	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.098021030 CET	443	49766	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.100351095 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.100385904 CET	443	49767	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.100871086 CET	443	49767	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.151937962 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.152077913 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.286058903 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:39.330368042 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:39.420977116 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.421071053 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.421518087 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.421611071 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.421655893 CET	443	49766	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.421735048 CET	49766	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.422107935 CET	443	49767	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:39.423048019 CET	49767	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:39.851911068 CET	443	49768	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:39.852001905 CET	49768	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:39.857084036 CET	49768	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:39.857106924 CET	443	49768	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:39.857173920 CET	49768	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:39.857270956 CET	443	49768	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:39.857525110 CET	49768	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:40.195693970 CET	443	49769	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.195816040 CET	49769	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.199862957 CET	443	49770	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.200402021 CET	49769	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.200433016 CET	443	49769	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.200675964 CET	49770	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.200692892 CET	443	49769	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.204046965 CET	49770	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.204062939 CET	443	49770	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.204423904 CET	443	49770	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.207601070 CET	443	49771	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.207828045 CET	49771	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.210418940 CET	49769	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.210549116 CET	49769	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.210577011 CET	443	49769	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.210798979 CET	49770	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.210885048 CET	49770	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.210992098 CET	443	49770	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:40.211276054 CET	49769	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:40.211285114 CET	49770	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:41.167804956 CET	49771	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:41.167834044 CET	443	49771	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:41.167916059 CET	49771	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:41.168045044 CET	443	49771	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:41.168114901 CET	49771	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:42.162484884 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:42.265913963 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:42.282283068 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:42.385762930 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:42.412636042 CET	49782	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:42.412679911 CET	443	49782	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:42.413105965 CET	49782	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:42.415147066 CET	49782	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:42.415179968 CET	443	49782	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:42.477181911 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:42.524425030 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:42.580965042 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:42.585504055 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:42.624753952 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:42.705349922 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:42.899869919 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:42.941248894 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:43.627352953 CET	443	49782	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:43.627427101 CET	49782	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:43.633368969 CET	49782	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:43.633375883 CET	443	49782	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:43.633491039 CET	49782	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:43.633596897 CET	443	49782	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:43.635198116 CET	49782	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:43.637506008 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:43.640146971 CET	49783	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:43.640252113 CET	443	49783	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:43.640482903 CET	49783	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:43.642327070 CET	49783	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:43.642369032 CET	443	49783	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:43.757292032 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:43.951869011 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:43.955950975 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:43.997514009 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:44.075902939 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:44.270513058 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:44.314044952 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:44.853041887 CET	443	49783	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:44.853128910 CET	49783	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:44.857038975 CET	49783	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:44.857068062 CET	443	49783	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:44.857156038 CET	49783	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:44.857266903 CET	443	49783	34.120.208.123	192.168.2.5
Dec 13, 2024 10:48:44.858596087 CET	49783	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:48:44.860646009 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:44.980390072 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:45.177295923 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:45.180869102 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:45.232273102 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:45.302424908 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:45.496088028 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:45.548784971 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:47.314565897 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:47.314625025 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:47.314754009 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:47.314964056 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:47.314985037 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:47.341311932 CET	49795	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:47.341332912 CET	443	49795	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:47.343282938 CET	49795	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:47.345418930 CET	49795	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:47.345434904 CET	443	49795	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:47.482548952 CET	49796	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:48:47.482599020 CET	443	49796	35.201.103.21	192.168.2.5
Dec 13, 2024 10:48:47.483076096 CET	49796	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:48:47.484529972 CET	49796	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:48:47.484546900 CET	443	49796	35.201.103.21	192.168.2.5
Dec 13, 2024 10:48:47.524919033 CET	49797	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:47.524956942 CET	443	49797	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:47.525216103 CET	49797	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:47.525394917 CET	49797	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:47.525409937 CET	443	49797	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:47.527501106 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:47.527519941 CET	443	49798	151.101.65.91	192.168.2.5
Dec 13, 2024 10:48:47.527780056 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:47.527993917 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:47.528008938 CET	443	49798	151.101.65.91	192.168.2.5
Dec 13, 2024 10:48:48.527367115 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:48.527508020 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:48.531795025 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:48.531826019 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:48.532085896 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:48.534230947 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:48.534328938 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:48.534409046 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:48.534578085 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:48.538868904 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:48.556688070 CET	443	49795	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:48.556792021 CET	49795	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:48.561758995 CET	49795	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:48.561773062 CET	443	49795	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:48.561892033 CET	49795	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:48.561945915 CET	443	49795	35.190.72.216	192.168.2.5
Dec 13, 2024 10:48:48.562119961 CET	49795	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:48:48.658799887 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:48.700572968 CET	443	49796	35.201.103.21	192.168.2.5
Dec 13, 2024 10:48:48.700691938 CET	49796	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:48:48.705835104 CET	49796	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:48:48.705848932 CET	443	49796	35.201.103.21	192.168.2.5
Dec 13, 2024 10:48:48.706026077 CET	49796	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:48:48.706072092 CET	443	49796	35.201.103.21	192.168.2.5
Dec 13, 2024 10:48:48.709718943 CET	49796	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:48:48.720701933 CET	49804	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:48.720735073 CET	443	49804	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:48.720932007 CET	49804	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:48.721096039 CET	49804	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:48.721105099 CET	443	49804	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:48.734867096 CET	443	49797	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.734942913 CET	49797	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.739011049 CET	49797	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.739015102 CET	443	49797	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.739258051 CET	443	49797	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.741420031 CET	49797	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.741524935 CET	49797	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.741559982 CET	443	49797	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.742527008 CET	49797	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.754472017 CET	443	49798	151.101.65.91	192.168.2.5
Dec 13, 2024 10:48:48.755171061 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:48.758829117 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:48.758833885 CET	443	49798	151.101.65.91	192.168.2.5
Dec 13, 2024 10:48:48.759265900 CET	443	49798	151.101.65.91	192.168.2.5
Dec 13, 2024 10:48:48.761760950 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:48.761760950 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:48.762010098 CET	443	49798	151.101.65.91	192.168.2.5
Dec 13, 2024 10:48:48.771348000 CET	443	49798	151.101.65.91	192.168.2.5
Dec 13, 2024 10:48:48.772104979 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.772140980 CET	443	49805	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.772286892 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.772326946 CET	443	49806	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.772726059 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:48.772751093 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:48.772764921 CET	49798	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:48:48.772804976 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.772944927 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.772958040 CET	443	49805	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.772958994 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.773103952 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.773118973 CET	443	49806	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.773776054 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.773786068 CET	443	49807	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.773878098 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.773993969 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:48.774005890 CET	443	49807	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:48.854542017 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:48.858023882 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:48.896229982 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:48.977770090 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:49.172674894 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:49.212724924 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:49.931484938 CET	443	49804	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:49.931581020 CET	49804	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:49.934910059 CET	49804	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:49.934921980 CET	443	49804	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:49.935226917 CET	443	49804	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:49.938139915 CET	49804	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:49.938261986 CET	49804	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:49.938359976 CET	443	49804	34.149.100.209	192.168.2.5
Dec 13, 2024 10:48:49.938430071 CET	49804	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:48:49.941776037 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:49.985557079 CET	443	49805	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.985575914 CET	443	49806	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.985651016 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.986027002 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.988394976 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.988408089 CET	443	49805	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.988683939 CET	443	49805	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.989967108 CET	443	49807	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.990797043 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.990814924 CET	443	49806	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.991055965 CET	443	49806	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.993180037 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.993284941 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.993356943 CET	443	49805	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.993366003 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.993470907 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.993496895 CET	443	49806	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.995335102 CET	443	49807	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:49.997931004 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.997934103 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.997957945 CET	49805	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.997987032 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.997992039 CET	49806	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:49.999454975 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:50.000915051 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:50.000925064 CET	443	49807	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:50.001693964 CET	443	49807	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:50.003954887 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:50.004020929 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:50.004323959 CET	443	49807	35.244.181.201	192.168.2.5
Dec 13, 2024 10:48:50.004410028 CET	49807	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:48:50.061450958 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:50.257595062 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:50.261218071 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:50.300308943 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:50.380907059 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:50.575599909 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:50.632472038 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:52.273705006 CET	49813	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:52.273793936 CET	443	49813	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:52.274399042 CET	49813	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:52.275876045 CET	49813	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:52.275911093 CET	443	49813	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:53.798654079 CET	443	49813	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:53.801840067 CET	49813	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:53.806344986 CET	49813	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:53.806390047 CET	443	49813	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:53.806438923 CET	49813	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:53.806560993 CET	443	49813	34.107.243.93	192.168.2.5
Dec 13, 2024 10:48:53.807373047 CET	49813	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:48:53.809844971 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:53.930119038 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:54.123975039 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:54.127823114 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:54.173870087 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:54.182903051 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:54.247592926 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:54.302944899 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:54.442528963 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:54.496885061 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:54.497046947 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:54.500669956 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:54.543771029 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:48:54.620465040 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:54.816086054 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:48:54.860455990 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:04.503498077 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:04.623389006 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:04.825915098 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:05.107436895 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:13.928203106 CET	49865	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:13.928270102 CET	443	49865	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:13.929055929 CET	49865	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:13.930577040 CET	49865	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:13.930610895 CET	443	49865	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:14.632843018 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:14.752722025 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:15.118792057 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:15.140927076 CET	443	49865	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:15.141081095 CET	49865	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:15.146122932 CET	49865	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:15.146146059 CET	443	49865	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:15.146249056 CET	49865	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:15.147152901 CET	443	49865	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:15.147234917 CET	49865	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:15.149575949 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:15.238550901 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:15.269443989 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:15.464145899 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:15.468415022 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:15.519495964 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:15.588223934 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:15.782953024 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:15.836052895 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:17.455909967 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:17.455961943 CET	443	49877	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:17.456017971 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:17.456083059 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:17.456083059 CET	443	49876	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:17.456208944 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:17.456228971 CET	443	49877	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:17.456742048 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:17.456837893 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:17.456856966 CET	443	49876	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.672002077 CET	443	49877	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.673671007 CET	443	49876	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.678008080 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.678008080 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.681452990 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.681487083 CET	443	49877	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.682383060 CET	443	49877	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.684047937 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.684067965 CET	443	49876	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.684958935 CET	443	49876	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.688672066 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.688673973 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.688878059 CET	443	49877	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.689105988 CET	443	49876	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.693383932 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.693398952 CET	443	49876	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.693428993 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.693444014 CET	443	49877	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.695333004 CET	443	49877	34.120.208.123	192.168.2.5
Dec 13, 2024 10:49:18.696206093 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:18.697552919 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.697552919 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.697575092 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.697575092 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.697575092 CET	49876	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.697689056 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.697689056 CET	49877	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:49:18.815948963 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:19.010232925 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:19.014249086 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:19.067894936 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:19.133917093 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:19.329329014 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:19.384413958 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:29.013071060 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:29.132884979 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:29.329734087 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:29.449704885 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:39.141232014 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:39.261220932 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:39.457808018 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:39.577737093 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:49.270636082 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:49.391385078 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:49.587152004 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:49.707231045 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:55.368256092 CET	49962	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:55.368356943 CET	443	49962	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:55.369216919 CET	49962	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:55.370695114 CET	49962	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:55.370716095 CET	443	49962	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:56.583806992 CET	443	49962	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:56.583892107 CET	49962	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:56.590384007 CET	49962	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:56.590396881 CET	443	49962	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:56.590492964 CET	49962	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:56.590703964 CET	443	49962	34.107.243.93	192.168.2.5
Dec 13, 2024 10:49:56.590771914 CET	49962	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:49:56.593346119 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:56.713139057 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:56.908118963 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:56.912827969 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:56.960366011 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:49:57.032712936 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:57.228055000 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:49:57.277085066 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:50:06.927319050 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:50:07.047161102 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:50:07.228183031 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:50:07.349555969 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 10:50:17.061306000 CET	49724	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:50:17.181085110 CET	80	49724	34.107.221.82	192.168.2.5
Dec 13, 2024 10:50:17.362252951 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:50:17.482085943 CET	80	49722	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 10:48:18.854696989 CET	54733	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:18.992953062 CET	53	54733	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:19.018260002 CET	60759	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:19.236602068 CET	53	60759	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:19.423347950 CET	54752	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:19.522768021 CET	58562	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:19.560432911 CET	53	54752	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:19.568671942 CET	61027	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:19.690006971 CET	63693	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:19.706001997 CET	53	61027	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:19.706640959 CET	58533	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:19.763483047 CET	54678	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:19.828165054 CET	53	63693	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:19.829508066 CET	64696	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:19.844064951 CET	53	58533	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:19.900859118 CET	53	54678	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:19.969937086 CET	53	64696	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:19.970824003 CET	50766	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:20.109196901 CET	53	50766	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:20.612428904 CET	64989	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:20.615103006 CET	50025	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:20.615282059 CET	59211	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:20.751753092 CET	53	64989	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:20.752494097 CET	53	59211	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:20.755959988 CET	51239	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:20.756344080 CET	52756	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:20.838247061 CET	53	50025	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:20.839109898 CET	63084	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:20.893399000 CET	53	51239	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:20.894172907 CET	53	52756	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:20.978946924 CET	53	63084	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:21.127294064 CET	64747	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:21.131393909 CET	62172	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:21.274310112 CET	53	62172	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:21.275794029 CET	50644	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:21.414520979 CET	53	50644	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:21.415355921 CET	62708	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:21.553622961 CET	53	62708	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:21.857717991 CET	55055	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:21.858444929 CET	60245	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:21.995131969 CET	53	55055	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:21.995743990 CET	53	60245	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:24.240053892 CET	64726	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:24.377589941 CET	53	64726	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:24.380867004 CET	53770	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:24.518867016 CET	53	53770	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:24.519778013 CET	61932	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:24.658484936 CET	53	61932	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:26.936314106 CET	57715	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:27.550174952 CET	53	64784	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:27.845812082 CET	57488	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:27.847357035 CET	63115	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:27.982758045 CET	53	57488	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:27.984329939 CET	53	63115	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:27.985749960 CET	65258	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:28.125024080 CET	53	65258	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:28.129822016 CET	61427	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:28.270011902 CET	53	61427	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:32.476730108 CET	52590	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:32.587034941 CET	64981	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:32.614483118 CET	53	52590	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:32.615808964 CET	57233	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:32.726075888 CET	53	64981	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:32.727550983 CET	61235	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:32.753793955 CET	53	57233	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:32.865284920 CET	53	61235	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:32.866139889 CET	58870	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:33.003585100 CET	53	58870	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:37.737607956 CET	56059	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:37.876137972 CET	53	56059	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:38.634166956 CET	49581	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:38.772706032 CET	53	49581	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.030391932 CET	56477	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.030615091 CET	56627	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.030699968 CET	53917	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.168405056 CET	53	53917	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.169008017 CET	53	56477	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.169913054 CET	53	56627	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.416114092 CET	64021	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.416182995 CET	58124	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.416387081 CET	56965	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.554053068 CET	53	58124	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.554306030 CET	53	56965	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.554363966 CET	53	64021	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.558119059 CET	55500	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.558295012 CET	59630	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.558692932 CET	61622	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.695988894 CET	53	55500	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.696693897 CET	53	59630	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.697098017 CET	61510	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.697448969 CET	52755	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.834757090 CET	53	52755	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.834798098 CET	53	61510	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.836045980 CET	51876	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.836045980 CET	58940	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:39.871788025 CET	53	61622	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.973500967 CET	53	51876	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:39.975087881 CET	51838	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:40.037794113 CET	53	58940	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:40.039246082 CET	59915	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:40.111903906 CET	53	51838	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:40.260833025 CET	53	59915	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:42.413183928 CET	49272	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:42.550632954 CET	53	49272	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:47.310662031 CET	49330	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:47.342783928 CET	56101	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:47.481141090 CET	53	56101	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:47.483006001 CET	60542	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:47.524090052 CET	57734	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:47.526329994 CET	53	49330	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:47.527721882 CET	49522	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:47.621409893 CET	53	60542	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:47.622313023 CET	55984	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:47.661350012 CET	53	57734	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:47.666496038 CET	53	49522	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:47.667356968 CET	62403	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:47.761888027 CET	53	55984	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:47.896034956 CET	53	62403	1.1.1.1	192.168.2.5
Dec 13, 2024 10:48:52.274040937 CET	54449	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:48:52.411673069 CET	53	54449	1.1.1.1	192.168.2.5
Dec 13, 2024 10:49:13.928766966 CET	54843	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:49:14.066093922 CET	53	54843	1.1.1.1	192.168.2.5
Dec 13, 2024 10:49:17.456093073 CET	59417	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:49:17.593954086 CET	53	59417	1.1.1.1	192.168.2.5
Dec 13, 2024 10:49:55.229885101 CET	58282	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:49:55.367094040 CET	53	58282	1.1.1.1	192.168.2.5
Dec 13, 2024 10:49:55.368607998 CET	59992	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:49:55.506546974 CET	53	59992	1.1.1.1	192.168.2.5
Dec 13, 2024 10:49:56.593666077 CET	58247	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 10:48:18.854696989 CET	192.168.2.5	1.1.1.1	0x59eb	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.018260002 CET	192.168.2.5	1.1.1.1	0xf8d0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:19.423347950 CET	192.168.2.5	1.1.1.1	0xb3a4	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.522768021 CET	192.168.2.5	1.1.1.1	0x12ec	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.568671942 CET	192.168.2.5	1.1.1.1	0xaffd	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.690006971 CET	192.168.2.5	1.1.1.1	0x679c	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.706640959 CET	192.168.2.5	1.1.1.1	0x55f9	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:19.763483047 CET	192.168.2.5	1.1.1.1	0xd47c	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.829508066 CET	192.168.2.5	1.1.1.1	0x2716	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.970824003 CET	192.168.2.5	1.1.1.1	0x6fbe	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:20.612428904 CET	192.168.2.5	1.1.1.1	0x5016	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:20.615103006 CET	192.168.2.5	1.1.1.1	0x7d1	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:20.615282059 CET	192.168.2.5	1.1.1.1	0x7454	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:20.755959988 CET	192.168.2.5	1.1.1.1	0xdc32	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:20.756344080 CET	192.168.2.5	1.1.1.1	0xdea	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:20.839109898 CET	192.168.2.5	1.1.1.1	0xbc55	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:21.127294064 CET	192.168.2.5	1.1.1.1	0x6abf	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.131393909 CET	192.168.2.5	1.1.1.1	0x2144	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.275794029 CET	192.168.2.5	1.1.1.1	0x8742	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.415355921 CET	192.168.2.5	1.1.1.1	0xd54d	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:21.857717991 CET	192.168.2.5	1.1.1.1	0xa594	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.858444929 CET	192.168.2.5	1.1.1.1	0x2d0	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:24.240053892 CET	192.168.2.5	1.1.1.1	0x2545	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:24.380867004 CET	192.168.2.5	1.1.1.1	0x207e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:24.519778013 CET	192.168.2.5	1.1.1.1	0x73ec	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:26.936314106 CET	192.168.2.5	1.1.1.1	0x5575	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:27.845812082 CET	192.168.2.5	1.1.1.1	0x56f8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:27.847357035 CET	192.168.2.5	1.1.1.1	0xc982	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:27.985749960 CET	192.168.2.5	1.1.1.1	0x8cb4	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:28.129822016 CET	192.168.2.5	1.1.1.1	0x7516	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:32.476730108 CET	192.168.2.5	1.1.1.1	0x378	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:32.587034941 CET	192.168.2.5	1.1.1.1	0x8c10	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:32.615808964 CET	192.168.2.5	1.1.1.1	0x84af	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:32.727550983 CET	192.168.2.5	1.1.1.1	0xc905	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:32.866139889 CET	192.168.2.5	1.1.1.1	0x1251	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:37.737607956 CET	192.168.2.5	1.1.1.1	0x6d1d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:38.634166956 CET	192.168.2.5	1.1.1.1	0x496	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:39.030391932 CET	192.168.2.5	1.1.1.1	0xd078	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.030615091 CET	192.168.2.5	1.1.1.1	0x684b	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.030699968 CET	192.168.2.5	1.1.1.1	0x79d1	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.416114092 CET	192.168.2.5	1.1.1.1	0x4d35	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.416182995 CET	192.168.2.5	1.1.1.1	0x8320	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.416387081 CET	192.168.2.5	1.1.1.1	0xed5e	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.558119059 CET	192.168.2.5	1.1.1.1	0xb2f2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:39.558295012 CET	192.168.2.5	1.1.1.1	0x3edd	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:39.558692932 CET	192.168.2.5	1.1.1.1	0x2892	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 10:48:39.697098017 CET	192.168.2.5	1.1.1.1	0x5ebb	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.697448969 CET	192.168.2.5	1.1.1.1	0xcaa5	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.836045980 CET	192.168.2.5	1.1.1.1	0x200a	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.836045980 CET	192.168.2.5	1.1.1.1	0xe86a	Standard query (0)	dualstack.reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.975087881 CET	192.168.2.5	1.1.1.1	0x2389	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:40.039246082 CET	192.168.2.5	1.1.1.1	0x5a18	Standard query (0)	dualstack.reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:42.413183928 CET	192.168.2.5	1.1.1.1	0x590c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:47.310662031 CET	192.168.2.5	1.1.1.1	0x3332	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.342783928 CET	192.168.2.5	1.1.1.1	0x74d0	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.483006001 CET	192.168.2.5	1.1.1.1	0xa10a	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.524090052 CET	192.168.2.5	1.1.1.1	0xfd63	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:48:47.527721882 CET	192.168.2.5	1.1.1.1	0x647c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.622313023 CET	192.168.2.5	1.1.1.1	0x7c72	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:48:47.667356968 CET	192.168.2.5	1.1.1.1	0xdb91	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 10:48:52.274040937 CET	192.168.2.5	1.1.1.1	0x9012	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:49:13.928766966 CET	192.168.2.5	1.1.1.1	0x332f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:49:17.456093073 CET	192.168.2.5	1.1.1.1	0xf99e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:49:55.229885101 CET	192.168.2.5	1.1.1.1	0xc834	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:49:55.368607998 CET	192.168.2.5	1.1.1.1	0xf11	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:49:56.593666077 CET	192.168.2.5	1.1.1.1	0xf704	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 10:48:18.840761900 CET	1.1.1.1	192.168.2.5	0x65ce	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:18.992953062 CET	1.1.1.1	192.168.2.5	0x59eb	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.560432911 CET	1.1.1.1	192.168.2.5	0xb3a4	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.706001997 CET	1.1.1.1	192.168.2.5	0xaffd	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.828165054 CET	1.1.1.1	192.168.2.5	0x679c	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.844064951 CET	1.1.1.1	192.168.2.5	0x55f9	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 10:48:19.900859118 CET	1.1.1.1	192.168.2.5	0xd47c	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:19.900859118 CET	1.1.1.1	192.168.2.5	0xd47c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.901149988 CET	1.1.1.1	192.168.2.5	0xd41e	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:19.901149988 CET	1.1.1.1	192.168.2.5	0xd41e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.915792942 CET	1.1.1.1	192.168.2.5	0x12ec	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:19.915792942 CET	1.1.1.1	192.168.2.5	0x12ec	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:19.969937086 CET	1.1.1.1	192.168.2.5	0x2716	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:20.751753092 CET	1.1.1.1	192.168.2.5	0x5016	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:20.752494097 CET	1.1.1.1	192.168.2.5	0x7454	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:20.838247061 CET	1.1.1.1	192.168.2.5	0x7d1	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:20.894172907 CET	1.1.1.1	192.168.2.5	0xdea	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 10:48:21.274310112 CET	1.1.1.1	192.168.2.5	0x2144	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:21.274310112 CET	1.1.1.1	192.168.2.5	0x2144	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:21.274310112 CET	1.1.1.1	192.168.2.5	0x2144	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.274398088 CET	1.1.1.1	192.168.2.5	0x4006	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:21.274398088 CET	1.1.1.1	192.168.2.5	0x4006	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.275427103 CET	1.1.1.1	192.168.2.5	0x6abf	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:21.275427103 CET	1.1.1.1	192.168.2.5	0x6abf	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.414520979 CET	1.1.1.1	192.168.2.5	0x8742	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.553622961 CET	1.1.1.1	192.168.2.5	0xd54d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 10:48:21.995131969 CET	1.1.1.1	192.168.2.5	0xa594	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.995743990 CET	1.1.1.1	192.168.2.5	0x2d0	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:21.995743990 CET	1.1.1.1	192.168.2.5	0x2d0	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:24.377589941 CET	1.1.1.1	192.168.2.5	0x2545	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:24.377589941 CET	1.1.1.1	192.168.2.5	0x2545	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:24.377589941 CET	1.1.1.1	192.168.2.5	0x2545	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:24.518867016 CET	1.1.1.1	192.168.2.5	0x207e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:27.163655996 CET	1.1.1.1	192.168.2.5	0x5575	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:27.984329939 CET	1.1.1.1	192.168.2.5	0xc982	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:28.125024080 CET	1.1.1.1	192.168.2.5	0x8cb4	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:32.438009977 CET	1.1.1.1	192.168.2.5	0x870d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:32.614483118 CET	1.1.1.1	192.168.2.5	0x378	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:32.726075888 CET	1.1.1.1	192.168.2.5	0x8c10	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:32.726075888 CET	1.1.1.1	192.168.2.5	0x8c10	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:32.865284920 CET	1.1.1.1	192.168.2.5	0xc905	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:34.758879900 CET	1.1.1.1	192.168.2.5	0x4595	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.168405056 CET	1.1.1.1	192.168.2.5	0x79d1	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:39.168405056 CET	1.1.1.1	192.168.2.5	0x79d1	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169008017 CET	1.1.1.1	192.168.2.5	0xd078	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169913054 CET	1.1.1.1	192.168.2.5	0x684b	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:39.169913054 CET	1.1.1.1	192.168.2.5	0x684b	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554053068 CET	1.1.1.1	192.168.2.5	0x8320	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554306030 CET	1.1.1.1	192.168.2.5	0xed5e	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.554363966 CET	1.1.1.1	192.168.2.5	0x4d35	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.695988894 CET	1.1.1.1	192.168.2.5	0xb2f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:48:39.695988894 CET	1.1.1.1	192.168.2.5	0xb2f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:48:39.695988894 CET	1.1.1.1	192.168.2.5	0xb2f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:48:39.695988894 CET	1.1.1.1	192.168.2.5	0xb2f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:48:39.696693897 CET	1.1.1.1	192.168.2.5	0x3edd	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 10:48:39.834757090 CET	1.1.1.1	192.168.2.5	0xcaa5	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.834798098 CET	1.1.1.1	192.168.2.5	0x5ebb	No error (0)	www.reddit.com	dualstack.reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:39.834798098 CET	1.1.1.1	192.168.2.5	0x5ebb	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.834798098 CET	1.1.1.1	192.168.2.5	0x5ebb	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.834798098 CET	1.1.1.1	192.168.2.5	0x5ebb	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.834798098 CET	1.1.1.1	192.168.2.5	0x5ebb	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:39.871788025 CET	1.1.1.1	192.168.2.5	0x2892	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 10:48:39.973500967 CET	1.1.1.1	192.168.2.5	0x200a	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:40.037794113 CET	1.1.1.1	192.168.2.5	0xe86a	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:40.037794113 CET	1.1.1.1	192.168.2.5	0xe86a	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:40.037794113 CET	1.1.1.1	192.168.2.5	0xe86a	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:40.037794113 CET	1.1.1.1	192.168.2.5	0xe86a	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:40.260833025 CET	1.1.1.1	192.168.2.5	0x5a18	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 13, 2024 10:48:40.260833025 CET	1.1.1.1	192.168.2.5	0x5a18	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 13, 2024 10:48:40.260833025 CET	1.1.1.1	192.168.2.5	0x5a18	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 13, 2024 10:48:40.260833025 CET	1.1.1.1	192.168.2.5	0x5a18	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 13, 2024 10:48:42.409554005 CET	1.1.1.1	192.168.2.5	0x9d34	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.481141090 CET	1.1.1.1	192.168.2.5	0x74d0	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:47.481141090 CET	1.1.1.1	192.168.2.5	0x74d0	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.522285938 CET	1.1.1.1	192.168.2.5	0xb192	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:47.522285938 CET	1.1.1.1	192.168.2.5	0xb192	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.526329994 CET	1.1.1.1	192.168.2.5	0x3332	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.526329994 CET	1.1.1.1	192.168.2.5	0x3332	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.526329994 CET	1.1.1.1	192.168.2.5	0x3332	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.526329994 CET	1.1.1.1	192.168.2.5	0x3332	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.621409893 CET	1.1.1.1	192.168.2.5	0xa10a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.666496038 CET	1.1.1.1	192.168.2.5	0x647c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.666496038 CET	1.1.1.1	192.168.2.5	0x647c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.666496038 CET	1.1.1.1	192.168.2.5	0x647c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.666496038 CET	1.1.1.1	192.168.2.5	0x647c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:48:47.896034956 CET	1.1.1.1	192.168.2.5	0xdb91	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:48:47.896034956 CET	1.1.1.1	192.168.2.5	0xdb91	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:48:47.896034956 CET	1.1.1.1	192.168.2.5	0xdb91	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:48:47.896034956 CET	1.1.1.1	192.168.2.5	0xdb91	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:48:50.243675947 CET	1.1.1.1	192.168.2.5	0xb007	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:48:50.243675947 CET	1.1.1.1	192.168.2.5	0xb007	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:49:17.454184055 CET	1.1.1.1	192.168.2.5	0xace7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:49:55.367094040 CET	1.1.1.1	192.168.2.5	0xc834	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:49:56.732450962 CET	1.1.1.1	192.168.2.5	0xf704	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:49:56.732450962 CET	1.1.1.1	192.168.2.5	0xf704	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49717	34.107.221.82	80	4676	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:48:21.126097918 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:21.847413063 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81039 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:21.884001017 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:22.199047089 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81040 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	4676	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:48:22.003603935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49722	34.107.221.82	80	4676	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:48:23.643518925 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:24.730338097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85196 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:27.059218884 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:27.375274897 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85199 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:32.334120035 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:32.648875952 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85204 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:32.852421999 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:33.179244041 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85205 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:34.620985031 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:34.935532093 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85206 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:37.935406923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:38.250212908 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85210 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:42.162484884 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:42.477181911 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85214 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:42.585504055 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:42.899869919 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85214 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:43.955950975 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:44.270513058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85216 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:45.180869102 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:45.496088028 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85217 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:48.858023882 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:49.172674894 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85221 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:50.261218071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:50.575599909 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85222 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:54.127823114 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:54.442528963 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85226 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:48:54.500669956 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:48:54.816086054 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85226 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:49:04.825915098 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:15.118792057 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:15.468415022 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:49:15.782953024 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85247 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:49:19.014249086 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:49:19.329329014 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85251 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:49:29.329734087 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:39.457808018 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:49.587152004 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:56.912827969 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:49:57.228055000 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85289 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:50:07.228183031 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:50:17.362252951 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49724	34.107.221.82	80	4676	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:48:23.824228048 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:24.911164045 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81042 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:27.059611082 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:27.375395060 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81045 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:32.386698008 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:32.701461077 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81050 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:34.131715059 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:34.446752071 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81052 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:37.617682934 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:37.932008982 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81055 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:38.971426010 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:39.286058903 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81057 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:42.265913963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:42.580965042 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81060 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:43.637506008 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:43.951869011 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81061 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:44.860646009 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:45.177295923 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81063 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:48.538868904 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:48.854542017 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81066 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:49.941776037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:50.257595062 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81068 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:53.809844971 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:54.123975039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81071 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:48:54.182903051 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:48:54.496885061 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81072 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:49:04.503498077 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:14.632843018 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:15.149575949 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:49:15.464145899 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81093 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:49:18.696206093 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:49:19.010232925 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81096 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:49:29.013071060 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:39.141232014 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:49.270636082 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:49:56.593346119 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:49:56.908118963 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81134 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:50:06.927319050 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:50:17.061306000 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	04:48:09
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb60000
File size:	966'656 bytes
MD5 hash:	9B55AFC1CA0156A623D6C797CF48EA06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:48:11
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:48:11
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:48:13
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:48:13
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:48:14
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	04:48:15
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2176 -parentBuildID 20230927232528 -prefsHandle 2084 -prefMapHandle 2076 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {673b1df6-0c4b-4256-9078-09fbf41f71ab} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b24146e110 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	04:48:18
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4336 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 4116 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a7fa0f8-03b6-45d3-a9d9-1cefb0e1c3a3} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b24147d210 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	04:48:31
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=884 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 948 -prefMapHandle 944 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8de80ac3-24d6-4ca4-bcf4-f7144e6d958c} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1b252a96110 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	1752
Total number of Limit Nodes:	48

Executed Functions

Function 00B642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B6430D

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

GetCurrentProcess.KERNEL32(?,00BFCB64,00000000,?,?), ref: 00B64422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B64429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B64454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B64466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00B64474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B6447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B644A0

Strings

|O, xrefs: 00BA36F8
GetNativeSystemInfo, xrefs: 00B64460
kernel32.dll, xrefs: 00B6444F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 240488dea82d6a38e135992f733709cc12d1ebec5fb41ed7f64fa84ccdd9905b
Instruction ID: 1dbe50aecfd7d6a5b96f91be9337c7c13af949a556d9d2477149b227072273ab
Opcode Fuzzy Hash: 240488dea82d6a38e135992f733709cc12d1ebec5fb41ed7f64fa84ccdd9905b
Instruction Fuzzy Hash: 69A1927597E6C4DFC791D7697C827AD7FE4AB27700B0C48D9E84193B32DA244A48CB21

Function 00B642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B650AA,?,?,00000000,00000000), ref: 00B642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B650AA,?,?,00000000,00000000), ref: 00B642C9
LoadResource.KERNEL32(?,00000000,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20), ref: 00BA35BE
SizeofResource.KERNEL32(?,00000000,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20), ref: 00BA35D3
LockResource.KERNEL32(00B650AA,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20,?), ref: 00BA35E6

Strings

SCRIPT, xrefs: 00B642BF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 72a85dec11a76bcc1c75d700aa10cde2a9275d423ee54c47c3c19422014f719f
Instruction ID: 90e7b3c68415bbf48626b3781c966682ce71b214e5e6dc4d7141d02f7402a949
Opcode Fuzzy Hash: 72a85dec11a76bcc1c75d700aa10cde2a9275d423ee54c47c3c19422014f719f
Instruction Fuzzy Hash: 6B115A70201604AFDB218B65DD58F277BB9EBC5B51F2081A9F40297260DB71D854CA20

Function 00BA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B62B6B

Part of subcall function 00B63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C31418,?,00B62E7F,?,?,?,00000000), ref: 00B63A78

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00C22224), ref: 00BA2C10
ShellExecuteW.SHELL32(00000000,?,?,00C22224), ref: 00BA2C17

Strings

runas, xrefs: 00BA2C0B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: fe10c0ee35b586d766951257e9f0d56aaa364774622972bce80de1a1b53e83cf
Instruction ID: a09d71e5130bef8387738d0374481a7820e926ba06faff045e1ef62ae1cad406
Opcode Fuzzy Hash: fe10c0ee35b586d766951257e9f0d56aaa364774622972bce80de1a1b53e83cf
Instruction Fuzzy Hash: 8811E931208345AED704FF64D951ABEBBE4DF95750F4C04ADF582531A2CF39894AD712

Function 00BCD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BCD501
Process32FirstW.KERNEL32(00000000,?), ref: 00BCD50F
Process32NextW.KERNEL32(00000000,?), ref: 00BCD52F
CloseHandle.KERNEL32(00000000), ref: 00BCD5DC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1b2f936f26ba239cc5be3456853656a7a621514f3e7058b56a9083dbd775aac1
Instruction ID: 9a9cbc824439486fa0da18bf77fc843f520cee8daff6f58a676b808f01bd2563
Opcode Fuzzy Hash: 1b2f936f26ba239cc5be3456853656a7a621514f3e7058b56a9083dbd775aac1
Instruction Fuzzy Hash: DB319F711083009FD300EF54C881FAFBBE8EFA9354F14096DF585971A1EB719A88CBA2

Function 00BCDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00BA5222), ref: 00BCDBCE
GetFileAttributesW.KERNEL32(?), ref: 00BCDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00BCDBEE
FindClose.KERNEL32(00000000), ref: 00BCDBFA

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9df335126ff60e85b0ec6ac2244eda2f3f473665f98affeee918764d707cf5ac
Instruction ID: 20dcd2d4351e2390746503bd065cf1a66fb5f0a1e56caf8a70a798773b412206
Opcode Fuzzy Hash: 9df335126ff60e85b0ec6ac2244eda2f3f473665f98affeee918764d707cf5ac
Instruction Fuzzy Hash: 9BF0A0308109185782206F7CAE0D9BB3BACDE01334B104B5AF836C30E0EFB06994C695

Function 00BBD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BBD220

Strings

X64, xrefs: 00BBD2A8
%.3d, xrefs: 00BBD22B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a081c41b1cc86b247b9e3a619085f12db897235df51e5c2b8892b2d49c8cf397
Instruction ID: ddec2e7207602ad899893e688b6fe174c83e711a1680c50edf2ac22ee110061a
Opcode Fuzzy Hash: a081c41b1cc86b247b9e3a619085f12db897235df51e5c2b8892b2d49c8cf397
Instruction Fuzzy Hash: 47D01261C09159EBCB50D7D0DCC59F9B7FCEB08341F5084E2F91A92040F66CC948AB61

Function 00B84CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000,?,00B928E9), ref: 00B84D09
TerminateProcess.KERNEL32(00000000,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000,?,00B928E9), ref: 00B84D10
ExitProcess.KERNEL32 ref: 00B84D22

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ff4239efee954a8fc0e64c657ab7238aa7335141b341bfb3e11b0af841b1216d
Instruction ID: c7544d572e245b2563579628f0ef3d932c1a3500df1d4fda6ea8bec8bf7305d5
Opcode Fuzzy Hash: ff4239efee954a8fc0e64c657ab7238aa7335141b341bfb3e11b0af841b1216d
Instruction Fuzzy Hash: C4E0B631004149ABCF12BF54DE09A687FA9EB42781B104064FC059B132CB35EE92DB84

Function 00BBD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BBD28C

Strings

X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8e166ed3641cfb796d2ae91aec90655be7f4013e63f9c9453c1f31c288fa8536
Instruction ID: e40e4ccba7fb3e70d5935cd327355c7e068567a092ce9623ef601e640cc7dc07
Opcode Fuzzy Hash: 8e166ed3641cfb796d2ae91aec90655be7f4013e63f9c9453c1f31c288fa8536
Instruction Fuzzy Hash: 4AD0C9B480111DEBCB94CBA0DCC8DE9B7BCBF04345F104195F106A2000DB7495498F10

Function 00BEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00BEB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB1D4
_wcslen.LIBCMT ref: 00BEB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB236
_wcslen.LIBCMT ref: 00BEB332

Part of subcall function 00BD05A7: GetStdHandle.KERNEL32(000000F6), ref: 00BD05C6

_wcslen.LIBCMT ref: 00BEB34B
_wcslen.LIBCMT ref: 00BEB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BEB3B6
GetLastError.KERNEL32(00000000), ref: 00BEB407
CloseHandle.KERNEL32(?), ref: 00BEB439
CloseHandle.KERNEL32(00000000), ref: 00BEB44A
CloseHandle.KERNEL32(00000000), ref: 00BEB45C
CloseHandle.KERNEL32(00000000), ref: 00BEB46E
CloseHandle.KERNEL32(?), ref: 00BEB4E3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: d3fdca7776dd4fa9a321e36ad351fb626e945aff93883c36f4a4592375771d1f
Instruction ID: e1f655454cecd9d4be42776e6c20774e61b2d3d983d99146565ce2dccf2789aa
Opcode Fuzzy Hash: d3fdca7776dd4fa9a321e36ad351fb626e945aff93883c36f4a4592375771d1f
Instruction Fuzzy Hash: 5CF15A315082409FC714EF25C891F6BBBE5EF85314F14859DF89A9B2A2DB35EC44CB52

Function 00B6D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B6D807
timeGetTime.WINMM ref: 00B6DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB28
TranslateMessage.USER32(?), ref: 00B6DB7B
DispatchMessageW.USER32(?), ref: 00B6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB9F
Sleep.KERNEL32(0000000A), ref: 00B6DBB1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 51b5617ea40ff1ced31f9512ac8cf8084afb0c5abf7e659eb77c43ab60b136c8
Instruction ID: 8784bf7612ef82eebcbf1923cc9455d19caf12665127055079a5e6c0b8c19bf0
Opcode Fuzzy Hash: 51b5617ea40ff1ced31f9512ac8cf8084afb0c5abf7e659eb77c43ab60b136c8
Instruction Fuzzy Hash: 3A42C230B08645DFD728CF24C894BBABBE0FF45304F5886A9E56587291D7B4E844CB92

Function 00B62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B62D07
RegisterClassExW.USER32(00000030), ref: 00B62D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B62D42
InitCommonControlsEx.COMCTL32(?), ref: 00B62D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B62D6F
LoadIconW.USER32(000000A9), ref: 00B62D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B62D94

Strings

AutoIt v3 GUI, xrefs: 00B62D23
0, xrefs: 00B62CE9
TaskbarCreated, xrefs: 00B62D37
+, xrefs: 00B62CF0

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 179ab510fc8147eeb89b3e83c671cc28a1abe3d71664d6d1215da76b177899b7
Instruction ID: f2056b32ee1e4a781b05841c200f1e6994df85dfdda85d5862c7196bee0e9b74
Opcode Fuzzy Hash: 179ab510fc8147eeb89b3e83c671cc28a1abe3d71664d6d1215da76b177899b7
Instruction Fuzzy Hash: 4E21B2B591131CAFDB00DFA4E949BEDBFB4FB08700F04811AEA11A72A0DBB15584CF95

Function 00BA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BA039A: CreateFileW.KERNEL32(00000000,00000000,?,00BA0704,?,?,00000000,?,00BA0704,00000000,0000000C), ref: 00BA03B7

GetLastError.KERNEL32 ref: 00BA076F
__dosmaperr.LIBCMT ref: 00BA0776
GetFileType.KERNEL32(00000000), ref: 00BA0782
GetLastError.KERNEL32 ref: 00BA078C
__dosmaperr.LIBCMT ref: 00BA0795
CloseHandle.KERNEL32(00000000), ref: 00BA07B5
CloseHandle.KERNEL32(?), ref: 00BA08FF
GetLastError.KERNEL32 ref: 00BA0931
__dosmaperr.LIBCMT ref: 00BA0938

Strings

H, xrefs: 00BA08BD

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 6429c32c6b80fef3c75d6eb9fe7be9dd49547499fa2e7c5cc2721c2d89c267b2
Instruction ID: 979a1bb38ae0285b910a144d3b9f93ce1600edeb5e661e73dcee0ea699b8e00f
Opcode Fuzzy Hash: 6429c32c6b80fef3c75d6eb9fe7be9dd49547499fa2e7c5cc2721c2d89c267b2
Instruction Fuzzy Hash: ABA10932A281098FDF19BF68D851BAE7BE0EB0A324F140199F815DB291DB359D12CB95

Function 00B6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C31418,?,00B62E7F,?,?,?,00000000), ref: 00B63A78

Part of subcall function 00B63357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B63379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B6356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BA318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BA31CE
RegCloseKey.ADVAPI32(?), ref: 00BA3210
_wcslen.LIBCMT ref: 00BA3277
_wcslen.LIBCMT ref: 00BA3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00B63560
\Include\, xrefs: 00B63527
Include, xrefs: 00BA3184, 00BA31C5
\, xrefs: 00BA328C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: fb242d30d7c0b5a94bdb10a92cb33ebde5d372a7c481f7025d0e46a3733df160
Instruction ID: 7179be431f52bea53873614262637f4f1c3eae99d3b6385805afb7b0685b4c64
Opcode Fuzzy Hash: fb242d30d7c0b5a94bdb10a92cb33ebde5d372a7c481f7025d0e46a3733df160
Instruction Fuzzy Hash: C4718A714183059ECB54EF65EC82AAFBBE8FF95740F40486EF545931B0EB349A48CB62

Function 00B62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B62B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B62B9D
LoadIconW.USER32(00000063), ref: 00B62BB3
LoadIconW.USER32(000000A4), ref: 00B62BC5
LoadIconW.USER32(000000A2), ref: 00B62BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B62BEF
RegisterClassExW.USER32(?), ref: 00B62C40

Part of subcall function 00B62CD4: GetSysColorBrush.USER32(0000000F), ref: 00B62D07
Part of subcall function 00B62CD4: RegisterClassExW.USER32(00000030), ref: 00B62D31
Part of subcall function 00B62CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B62D42
Part of subcall function 00B62CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B62D5F
Part of subcall function 00B62CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B62D6F
Part of subcall function 00B62CD4: LoadIconW.USER32(000000A9), ref: 00B62D85
Part of subcall function 00B62CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B62D94

Strings

#, xrefs: 00B62C16
0, xrefs: 00B62C0F
AutoIt v3, xrefs: 00B62C2F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: adeb85f2559daa972195bc64698b0329e25fa52e0ece85d891a6edb9b6faf329
Instruction ID: 1645c6a3200eb7b17256c156a0bc03978a0a3553fafd9b23f7e1fa74b816f783
Opcode Fuzzy Hash: adeb85f2559daa972195bc64698b0329e25fa52e0ece85d891a6edb9b6faf329
Instruction Fuzzy Hash: E1214971E20318AFDB509FA6ED45BADBFB4FB08B50F08005AEA00A76B0D7B10954CF90

Function 00B63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B6316A,?,?), ref: 00B631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B6316A,?,?), ref: 00B63204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B63227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B6316A,?,?), ref: 00B63232
CreatePopupMenu.USER32 ref: 00B63246
PostQuitMessage.USER32(00000000), ref: 00B63267

Strings

TaskbarCreated, xrefs: 00B6322D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a68a4b7e449f19e911a56c20b492d29b17077a8411a61f19162214c7d54ba634
Instruction ID: 9579ef90e2b21c879097ff61bcd7ee2973574db7148cb20efdaeeef9ae15b4b5
Opcode Fuzzy Hash: a68a4b7e449f19e911a56c20b492d29b17077a8411a61f19162214c7d54ba634
Instruction Fuzzy Hash: 45411831264204ABDF146B7C9D99B7D3AD9EB06B50F0801A5FE02D72A1CB799E80DB61

Function 00B61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B61459
CoUninitialize.COMBASE ref: 00B614F8
UnregisterHotKey.USER32(?), ref: 00B616DD
DestroyWindow.USER32(?), ref: 00BA24B9
FreeLibrary.KERNEL32(?), ref: 00BA251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BA254B

Strings

close all, xrefs: 00B61454

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f1094b6d06861d4364a1a8435b6abc62a08a032d1892ad8f83a74d87fe6788c7
Instruction ID: 8bc636c9a8e1ea28f5bfa687a9a519c3b387635fdab19a097fa79ae7dc5e928f
Opcode Fuzzy Hash: f1094b6d06861d4364a1a8435b6abc62a08a032d1892ad8f83a74d87fe6788c7
Instruction Fuzzy Hash: BBD17A31B062128FCB19EF19C995A29F7E4FF15700F1885EDE44A6B261DB30AD12CF50

Function 00BCDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00BCDE42
gethostname.WS2_32(?,00000100), ref: 00BCDE5C
gethostbyname.WS2_32(?), ref: 00BCDE69
inet_ntoa.WSOCK32(?), ref: 00BCDEAB
_strcat.LIBCMT ref: 00BCDEB9
WSACleanup.WSOCK32 ref: 00BCDEDE

Strings

0.0.0.0, xrefs: 00BCDE87

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: b524ec74af5f65e1e6787335e4f7e1e5469474bb40d3b4dab53e8d56eb90ad88
Instruction ID: 667017a02837bf1d224c82395bb0f8784442a58cb6d1a5a07f982677e7756e3c
Opcode Fuzzy Hash: b524ec74af5f65e1e6787335e4f7e1e5469474bb40d3b4dab53e8d56eb90ad88
Instruction Fuzzy Hash: 6911D53590411AAFCB207B249C4AEEA77ECDB14711F0101FEF509970A1EF708A85CB60

Function 00B62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B62C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B62CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B61CAD,?), ref: 00B62CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B61CAD,?), ref: 00B62CCF

Strings

edit, xrefs: 00B62CAC
AutoIt v3, xrefs: 00B62C89, 00B62C8E, 00B62C8F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 72857aebde6c4133cdd5abf6d09263425c8a72948dd9911b54173c89fc4d982f
Instruction ID: d152f9f95494e02e3bf0b5cc80681b2fbe1c219c39ed3e06aa4abd18e382f03f
Opcode Fuzzy Hash: 72857aebde6c4133cdd5abf6d09263425c8a72948dd9911b54173c89fc4d982f
Instruction Fuzzy Hash: AEF0DA755502987EEB711B17AC08FBB6EBDD7C6F50B04405AFE04A35B0C6615898DEB0

Function 00B63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B83

Strings

Control Panel\Mouse, xrefs: 00B63B3E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: aaae925e4bdb2bb62a1dcf484e1f7ddcfc3709abebed9decafff858cacf06650
Instruction ID: fb74a1526914a202e27c69ab16e28094c7332741c717dea93dddd6565c40903a
Opcode Fuzzy Hash: aaae925e4bdb2bb62a1dcf484e1f7ddcfc3709abebed9decafff858cacf06650
Instruction Fuzzy Hash: 951157B1610208FFDB208FA4DC84EEEBBF8EF05B40B1484AAE901D7110E6319E409BA0

Function 00BBD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BBD3BF
FreeLibrary.KERNEL32 ref: 00BBD3E5

Strings

X64, xrefs: 00BBD2A8
GetSystemWow64DirectoryW, xrefs: 00BBD3B9

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b0a0793fb91d1167d6f0c9c959d536835a781fc1a1b8d9524dd4ef3455b9c222
Instruction ID: d97bf8592bba89dbf1b8e6f3ea95abcba488701fdd0dfcb0f4515f14b8eeeed3
Opcode Fuzzy Hash: b0a0793fb91d1167d6f0c9c959d536835a781fc1a1b8d9524dd4ef3455b9c222
Instruction Fuzzy Hash: F2F0552240075A8BC7741210CC98AFD77E4EF10741BA982E9F016F30A5FBF8CD88C64A

Function 00B6DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00BB32B7

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 221c60888384df5448d3e13f171bf185250d517fd7249a69b30eab598f3d3a79
Instruction ID: 5909d03f217816f8e27e157682d4908a2975ceaa57c8187c88091ae38ba90f8e
Opcode Fuzzy Hash: 221c60888384df5448d3e13f171bf185250d517fd7249a69b30eab598f3d3a79
Instruction Fuzzy Hash: 23C29C79A00205CFCB24CF58C881AADB7F1FF18700F2481A9E966AB391D779ED41CB95

Function 00B6EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B6FE66

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: b27726eb9e4de608cbd74dfd1831a01fc36990f6adab98aa2f519f4d3727a5f8
Instruction ID: c5ee13457a52e2a99fb2234fffa1c3da24f772cbcce1e8b8ab116a04f0621161
Opcode Fuzzy Hash: b27726eb9e4de608cbd74dfd1831a01fc36990f6adab98aa2f519f4d3727a5f8
Instruction Fuzzy Hash: B9B26A75608342CFDB24CF18D490A2AB7E1FB99300F2448ADF8999B361D779ED45CB92

Function 00B63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BA33A2

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B63A04

Strings

Line: , xrefs: 00BA33EB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 438139af449257a151c28303531e1b6aedd37a2f8b5ce0490b328c4d8f59f301
Instruction ID: 715ac9b7d6644f5ab6df6c8aecec7c74482d60e9d6f46bcb94b446fcd34da6b6
Opcode Fuzzy Hash: 438139af449257a151c28303531e1b6aedd37a2f8b5ce0490b328c4d8f59f301
Instruction Fuzzy Hash: 6831D271408304AED725EB20DC45BEFB7D8AF40B10F0845AAF59A931E1DF789A48CBC6

Function 00B7FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B80668

Part of subcall function 00B832A4: RaiseException.KERNEL32(?,?,?,00B8068A,?,00C31444,?,?,?,?,?,?,00B8068A,00B61129,00C28738,00B61129), ref: 00B83304

__CxxThrowException@8.LIBVCRUNTIME ref: 00B80685

Strings

Unknown exception, xrefs: 00B80692

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1d51f075584bf777bc112693c7c30fff1424e29c42ef4a1028a9156597aae353
Instruction ID: 47c005a4a9fa5d52c66e64da7983987cc9b6ec5b33b5b10ffdf733e99523b922
Opcode Fuzzy Hash: 1d51f075584bf777bc112693c7c30fff1424e29c42ef4a1028a9156597aae353
Instruction Fuzzy Hash: FFF0C83490020EB78B14BA64E886CAD77EC9E00750B6085F1B928965B1EF71DA5DC794

Function 00B610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B61BF4
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B61BFC
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B61C07
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B61C12
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B61C1A
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B61C22

Part of subcall function 00B61B4A: RegisterWindowMessageW.USER32(00000004,?,00B612C4), ref: 00B61BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B6136A
OleInitialize.OLE32 ref: 00B61388
CloseHandle.KERNEL32(00000000,00000000), ref: 00BA24AB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d39e75977aa896f4eb4845172145e420c4ede70c6b68a488cbbcd46111065faf
Instruction ID: 714a5882653e6f94f6da1f85f4bf4e8df5c1b6bb42233e6c8945dfcfb7976d4f
Opcode Fuzzy Hash: d39e75977aa896f4eb4845172145e420c4ede70c6b68a488cbbcd46111065faf
Instruction Fuzzy Hash: DA71EAB59313048FC784EFB9A9457AD3AE0FB8934071D866AED0AC73A1EB344445CF59

Function 00BCC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B63A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BCC259
KillTimer.USER32(?,00000001,?,?), ref: 00BCC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BCC270

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 5f85e43286a44792cf3659dc8b3cee81570abedb92c6608fca0b089814996fa5
Instruction ID: 2b763749cf961eaf87f9d957e5f32e10410dd41bb990b927caf7eeea3904d18f
Opcode Fuzzy Hash: 5f85e43286a44792cf3659dc8b3cee81570abedb92c6608fca0b089814996fa5
Instruction Fuzzy Hash: D0319170904344AFEB729F648895BEBBFECAB26308F0404DED6DEA7241C7745A84CB51

Function 00B986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00B985CC,?,00C28CC8,0000000C), ref: 00B98704
GetLastError.KERNEL32(?,00B985CC,?,00C28CC8,0000000C), ref: 00B9870E
__dosmaperr.LIBCMT ref: 00B98739

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 553c994e8f7373f3f7f21b0869e6f368cc572bd964fad5be4d8063af49b39095
Instruction ID: f15f9d2fa204843af4b4d74f50e35f0100ef725e44a961ea1a5898a37b27a80b
Opcode Fuzzy Hash: 553c994e8f7373f3f7f21b0869e6f368cc572bd964fad5be4d8063af49b39095
Instruction Fuzzy Hash: B8012633A0962027DE356274A845B7E6BD98B83774F3901F9F9198F1D2DEB48C81C294

Function 00B6DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00B6DB7B
DispatchMessageW.USER32(?), ref: 00B6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB9F
Sleep.KERNEL32(0000000A), ref: 00B6DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00BB1CC9

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6afe2bd9fa82a225ff39a7cc594d56da23e80e88a430aa1f64981591c21d6a47
Instruction ID: 2f6c0029be1538dae536d6fe47405864b49fc922ba0841663d4c5c73a34dc9d2
Opcode Fuzzy Hash: 6afe2bd9fa82a225ff39a7cc594d56da23e80e88a430aa1f64981591c21d6a47
Instruction Fuzzy Hash: 14F05E316143449BEB30DBA08C99FFA77E8EB48310F544959E61A870D0DB74A488CB16

Function 00B71310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B717F6

Strings

CALL, xrefs: 00B717C6

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 13a63b4d2f8309b95e54c46bc4b953500accd7e5e9645770a70d6ecab1270e60
Instruction ID: 2eb3834fad85307dbf2d9587a7f03e02904d75c17e6e4ed2db7dfb29ea9422e3
Opcode Fuzzy Hash: 13a63b4d2f8309b95e54c46bc4b953500accd7e5e9645770a70d6ecab1270e60
Instruction Fuzzy Hash: 6C2289706082019FC714DF18C490A6ABBF1FF95314F1489ADF4AA8B3A1D775ED45CBA2

Function 00B701E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab723b1201b98ded3a4d570471e03ec5166b5155216935c354a17d4100db3bd
Instruction ID: a7263026866aa8ca32198338c6fb623a8108da37b06f14b504ffd96678a1e897
Opcode Fuzzy Hash: 0ab723b1201b98ded3a4d570471e03ec5166b5155216935c354a17d4100db3bd
Instruction Fuzzy Hash: 50328031A00605DFCB24EF54C885BBEB7F5EF15310F1485EAE929AB292D7B1AD40CB52

Function 00B62DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00BA2C8C

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00B62DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00B62DC4

Strings

X, xrefs: 00BA2C5A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 4b8f0f0ad114f48d95a5bb2956765d064aae98424fb37b41aec4e2000efaae3c
Instruction ID: 05bd0b9527b1892c66f3430bbf4c9182a476e0bd6b952cc424edbf4892f79365
Opcode Fuzzy Hash: 4b8f0f0ad114f48d95a5bb2956765d064aae98424fb37b41aec4e2000efaae3c
Instruction Fuzzy Hash: 3221A571A002989FDF41EF98D845BEE7BF8EF49714F008099E505A7241DFB85A89CF61

Function 00BBD363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 00BBD375

Strings

X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 942f96a7e69afc9770e997985dca725fedd364073c74fa2ae858f166bc11649c
Instruction ID: 018f11ffb46412c4e7b06719da7fda6ece8b632a00461929ddd6d845ad9b1ed1
Opcode Fuzzy Hash: 942f96a7e69afc9770e997985dca725fedd364073c74fa2ae858f166bc11649c
Instruction Fuzzy Hash: 8FD0C9B580515CEBCB94CB40DCC8DE9B7BCBF04345F508195F006A2000EB7895889B10

Function 00B63837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B63908

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 23468f39487a34e84dcbce4b65de20e71b28291f703af0aabe0e4b0f20e31bbf
Instruction ID: 65c30d81396580b22907a0cc207a648bdc697252df72aebf58ae6957c8e20dd9
Opcode Fuzzy Hash: 23468f39487a34e84dcbce4b65de20e71b28291f703af0aabe0e4b0f20e31bbf
Instruction Fuzzy Hash: 3831A2705047019FD760DF24D8847DBBBE8FB49B08F04096EFA9A83290E775AA44CB52

Function 00B7F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B7F661

Part of subcall function 00B6D730: GetInputState.USER32 ref: 00B6D807

Sleep.KERNEL32(00000000), ref: 00BBF2DE

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: e6cba91e7c8a9767c0097762e2fddc3ec2ed322e1c1218bfd4a9256e44f2858f
Instruction ID: 76174f5aa5c7ffa12633d390bbb6ffc52ec6acc3e9842a66673a0def6fa836a4
Opcode Fuzzy Hash: e6cba91e7c8a9767c0097762e2fddc3ec2ed322e1c1218bfd4a9256e44f2858f
Instruction Fuzzy Hash: 41F08C312402059FD310EF69D959FBABBE8EF55760F0040B9E85AC7361EB70AC40CB91

Function 00B6B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B6BB4E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 1f836bc1e383ef7559a11c1a7d850715ce6392e79f560ded49879974bd65b982
Instruction ID: d2da48bd98efa7b9dddadf040b4c292be68fbc304c1b8ed3eaf2080c03b82169
Opcode Fuzzy Hash: 1f836bc1e383ef7559a11c1a7d850715ce6392e79f560ded49879974bd65b982
Instruction Fuzzy Hash: 2E327A71A102099FDF24DF58C894EBEB7F9EF44304F148099E915AB261D7B8ED81CB51

Function 00B64ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B64E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E9C
Part of subcall function 00B64E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64EAE
Part of subcall function 00B64E90: FreeLibrary.KERNEL32(00000000,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EFD

Part of subcall function 00B64E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E62
Part of subcall function 00B64E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64E74
Part of subcall function 00B64E59: FreeLibrary.KERNEL32(00000000,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E87

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 64711ae935146f381795a60ec3a3e9e38ff187543a5bfd6c90e33f28657b63b2
Instruction ID: bbf1136367744c18312e96bc89b6bfd968333a87e7f25c01dd4cd029ebe316c9
Opcode Fuzzy Hash: 64711ae935146f381795a60ec3a3e9e38ff187543a5bfd6c90e33f28657b63b2
Instruction Fuzzy Hash: 7E112332600705AACB25BB60DC02FED77E4AF40B10F2084AEF546A71D1EF799A459B90

Function 00B98402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B98440

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8521b21c96813b3bb9dbf78b3aae857502d6818484b4ee006cdfcd4978753587
Instruction ID: 3cfaca47b8c41f26a7534fb45046bb09d2ad4ceb958e256927b467edb2852220
Opcode Fuzzy Hash: 8521b21c96813b3bb9dbf78b3aae857502d6818484b4ee006cdfcd4978753587
Instruction Fuzzy Hash: 5A11187590410AAFCF05DF58E941A9E7BF5EF49314F1040A9F808AB312DA31DA11CBA5

Function 00B95000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B94C7D: RtlAllocateHeap.NTDLL(00000008,00B61129,00000000,?,00B92E29,00000001,00000364,?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?), ref: 00B94CBE

_free.LIBCMT ref: 00B9506C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: e46bc4a4a80094c2dddfd3812bb978b8aa564257df86e5c929dfed6acf3221a8
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 4A0126726447056BEB328F659881A5AFBE8FB89370F25067DE18483280EA30A805C7B4

Function 00B8E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 843299ac119ce96f31a33c8428911f700e8bdf12ec91f8a774d7fa2e90c25d91
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 89F0F432510A14A6DA313A69DC05B5A37D89F53330F1407F6F434962F2EB74D802CBA5

Function 00B94C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00B61129,00000000,?,00B92E29,00000001,00000364,?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?), ref: 00B94CBE

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1c5fafb77ed47a9f1afd189897b69fd75b4b9fd7fcb9e14aeec473a838f656d5
Instruction ID: 0e1d47889ad0f31a23e5040a5e872804b21eb8cf756c011329229d7f10634d10
Opcode Fuzzy Hash: 1c5fafb77ed47a9f1afd189897b69fd75b4b9fd7fcb9e14aeec473a838f656d5
Instruction Fuzzy Hash: A6F0B4316022256EDF216F729C05F5B37E8FF417A1B1542B5B819A7191CB70D802C6A0

Function 00B93820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d55df8a9d889606ecbf539f54c179d0fdec8d30d75e6dfeb7738252080693856
Instruction ID: 9a57fe23ee88494276b1ea98af9a26c3360b1144ed6125eed39fb71ebca2468c
Opcode Fuzzy Hash: d55df8a9d889606ecbf539f54c179d0fdec8d30d75e6dfeb7738252080693856
Instruction Fuzzy Hash: A8E0E5311006259ADE213A679C84B9A36C9EF42FB0F1500F1BD05928A0DB10DE01D3E0

Function 00B64F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64F6D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: df038e427abc4e16661d9b3b62f00030268ec8d5f240bc17efa231a0ce27bab4
Instruction ID: d00264b31117becdeeab14f33713bd587b4a4ba9b84c3e78c62e7e170cee7826
Opcode Fuzzy Hash: df038e427abc4e16661d9b3b62f00030268ec8d5f240bc17efa231a0ce27bab4
Instruction Fuzzy Hash: ACF03071105B51CFDB389F64D490822BBE4EF1431931089BEE1EE83521CB359844DF10

Function 00BF2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BF2A66

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 56fa18146ae1696a48162fa38ba1a9cf85d99986448403ae7a96a7a3e8075b5a
Instruction ID: 70f1b3e0ea44646919c4417a077a7541c5ec97040be16b3c0cbbe583c3d65b79
Opcode Fuzzy Hash: 56fa18146ae1696a48162fa38ba1a9cf85d99986448403ae7a96a7a3e8075b5a
Instruction Fuzzy Hash: 0BE04F3635411AAAC714EB30EC809FAB7DCEB5039571045BAAD56D3100EB309A99D6A0

Function 00B630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B6314E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6048af5b30f9d62287c145687e4cdb493b8c24eafe936436b5bfcd8134ddd0d8
Instruction ID: 87e34a5fdf57c5ff1f0df8bfb51420d300e4b1b119658307f29037de7c93e364
Opcode Fuzzy Hash: 6048af5b30f9d62287c145687e4cdb493b8c24eafe936436b5bfcd8134ddd0d8
Instruction Fuzzy Hash: 79F037709143189FEB929B24DC457D97BFCA701708F0400E5A54897291DB745788CF51

Function 00B62DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00B62DC4

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 9d0e406b374f023fc2157e9d73b6d7a5e726691cf60d717cfae38fd9141a09ac
Instruction ID: 41e37ecc4d51e391596d02710fb86e3fd042a8dc7651a1f20ea25244f9498668
Opcode Fuzzy Hash: 9d0e406b374f023fc2157e9d73b6d7a5e726691cf60d717cfae38fd9141a09ac
Instruction Fuzzy Hash: BEE0CD766041245BC710965C9C06FEA77DDDFC8790F0440B1FD09D7248D964AD80C550

Function 00B62B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B63837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B63908

Part of subcall function 00B6D730: GetInputState.USER32 ref: 00B6D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B62B6B

Part of subcall function 00B630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B6314E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: dc03a2e76bd189d9e2c288f5deb1099a980d50650c66a5b59df58a6f151cb402
Instruction ID: 59ec40c68d448488f95245932435815bc0040495fc7400094f295e4faf94ce1b
Opcode Fuzzy Hash: dc03a2e76bd189d9e2c288f5deb1099a980d50650c66a5b59df58a6f151cb402
Instruction Fuzzy Hash: 64E0CD317042840BCA08BB75A8526BDF7D9DBD1751F4419BEF546431A3CF3D49498352

Function 00BCDF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00BCDF40

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 102b91973a14d6391412f0291fc893b5b39fee5d85937319591f6a3c3fad2666
Instruction ID: 7ee7cd9bee062123817ff09680302f66e2ff71200dc2c4bdee1ce368053d5ca6
Opcode Fuzzy Hash: 102b91973a14d6391412f0291fc893b5b39fee5d85937319591f6a3c3fad2666
Instruction Fuzzy Hash: E6D05EA2A002286BDF60E6749D0EDF73AACCB40214F0006A0786DD3152E964ED8486B0

Function 00BA039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00BA0704,?,?,00000000,?,00BA0704,00000000,0000000C), ref: 00BA03B7

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f87200e69c9e59d16f50962c195aeb5d46468cc2d8cb90337cedb4864f83cec
Instruction ID: 1536021126fcaccfb6c8da31c26aa86778ab0494f2377f1aa97fcf891fbedf8c
Opcode Fuzzy Hash: 6f87200e69c9e59d16f50962c195aeb5d46468cc2d8cb90337cedb4864f83cec
Instruction Fuzzy Hash: 36D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020C732E971EB90

Function 00B61CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B61CBC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 67cfda639c983899ccac04df6f097b47cbd51309ecbf4e043110c5cca879c57a
Instruction ID: 47db01a20c56d3fe3aaf6db96fe3e3f97650eb12e61011dd03924c4fb6945017
Opcode Fuzzy Hash: 67cfda639c983899ccac04df6f097b47cbd51309ecbf4e043110c5cca879c57a
Instruction Fuzzy Hash: 63C09236290308AFF6148B80BD4BF287B64A358B01F088001FA09AB5F3C7A22864EA50

Non-executed Functions

Function 00BF9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BF961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00BF969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF96C9
SendMessageW.USER32 ref: 00BF96F2
GetKeyState.USER32(00000011), ref: 00BF978B
GetKeyState.USER32(00000009), ref: 00BF9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF97AE
GetKeyState.USER32(00000010), ref: 00BF97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF97E9
SendMessageW.USER32 ref: 00BF9810
SendMessageW.USER32(?,00001030,?,00BF7E95), ref: 00BF9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BF992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BF9941
SetCapture.USER32(?), ref: 00BF994A
ClientToScreen.USER32(?,?), ref: 00BF99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BF99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF99D6
ReleaseCapture.USER32 ref: 00BF99E1
GetCursorPos.USER32(?), ref: 00BF9A19
ScreenToClient.USER32(?,?), ref: 00BF9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BF9A80
SendMessageW.USER32 ref: 00BF9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BF9AEB
SendMessageW.USER32 ref: 00BF9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BF9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BF9B4A
GetCursorPos.USER32(?), ref: 00BF9B68
ScreenToClient.USER32(?,?), ref: 00BF9B75
GetParent.USER32(?), ref: 00BF9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BF9BFA
SendMessageW.USER32 ref: 00BF9C2B
ClientToScreen.USER32(?,?), ref: 00BF9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BF9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BF9CDE
SendMessageW.USER32 ref: 00BF9D01
ClientToScreen.USER32(?,?), ref: 00BF9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BF9D82

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

GetWindowLongW.USER32(?,000000F0), ref: 00BF9E05

Strings

@GUI_DRAGID, xrefs: 00BF997D
F, xrefs: 00BF9D07

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 69299c0cd9348b57a4038412ff8bf569a40accfcb2aae3bc1c22df08605d58f4
Instruction ID: bf1036f9883fc9924598a2981710cad81fa117034cbd3d62fa7faad7aafd9ba8
Opcode Fuzzy Hash: 69299c0cd9348b57a4038412ff8bf569a40accfcb2aae3bc1c22df08605d58f4
Instruction Fuzzy Hash: 7B428D34204209AFDB24DF24CD84BBABBE5FF49710F144699F699C72A1DB31A898CF51

Function 00BF4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00BF48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00BF4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00BF4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00BF494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00BF495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00BF497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00BF49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00BF49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00BF4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BF4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BF4A7E
IsMenu.USER32(?), ref: 00BF4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF4B20
GetWindowLongW.USER32(?,000000F0), ref: 00BF4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00BF4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00BF4C82
wsprintfW.USER32 ref: 00BF4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BF4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BF4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BF4D5A

Strings

%d/%02d/%02d, xrefs: 00BF4CA8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 87828abe8f2c31cc71c44a92edf16169ea6c9a5538f0e3d6ffb497e579cf549a
Instruction ID: f0acfa45b78fd4878151f6dd17c84209c81f0449f8b871a0477bc1a19d350465
Opcode Fuzzy Hash: 87828abe8f2c31cc71c44a92edf16169ea6c9a5538f0e3d6ffb497e579cf549a
Instruction Fuzzy Hash: 6812CF71600259ABEB248F28CC49FBF7BF8EF45710F1041A9FA1ADB2A1DB749945CB50

Function 00B7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B7F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BBF474
IsIconic.USER32(00000000), ref: 00BBF47D
ShowWindow.USER32(00000000,00000009), ref: 00BBF48A
SetForegroundWindow.USER32(00000000), ref: 00BBF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BBF4AA
GetCurrentThreadId.KERNEL32 ref: 00BBF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BBF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BBF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BBF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BBF4DE
SetForegroundWindow.USER32(00000000), ref: 00BBF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF4F6
keybd_event.USER32(00000012,00000000), ref: 00BBF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF50B
keybd_event.USER32(00000012,00000000), ref: 00BBF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF519
keybd_event.USER32(00000012,00000000), ref: 00BBF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF528
keybd_event.USER32(00000012,00000000), ref: 00BBF52D
SetForegroundWindow.USER32(00000000), ref: 00BBF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BBF557

Strings

Shell_TrayWnd, xrefs: 00BBF46F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a58526e032f09001e4f02b988ab7dccf14ff4e7434b6c84609cbc9d18f5a1cab
Instruction ID: 6f2303501006fc0fbbe1594c6e0819deafddc60eb9b4ac265eb85b1f339215d6
Opcode Fuzzy Hash: a58526e032f09001e4f02b988ab7dccf14ff4e7434b6c84609cbc9d18f5a1cab
Instruction Fuzzy Hash: E2314F71A4021DBBEB206BB55D4AFBF7EACEB44B50F100065FA01E71D1CBB19D40EAA0

Function 00BC1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00BC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
Part of subcall function 00BC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
Part of subcall function 00BC16C3: GetLastError.KERNEL32 ref: 00BC174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00BC1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00BC12A8
CloseHandle.KERNEL32(?), ref: 00BC12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BC12D1
GetProcessWindowStation.USER32 ref: 00BC12EA
SetProcessWindowStation.USER32(00000000), ref: 00BC12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BC1310

Part of subcall function 00BC10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC11FC), ref: 00BC10D4
Part of subcall function 00BC10BF: CloseHandle.KERNEL32(?,?,00BC11FC), ref: 00BC10E9

Strings

winsta0, xrefs: 00BC12CC
default, xrefs: 00BC130B
, xrefs: 00BC125A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 6b736a1c4937db1598340ea971ecd1f4f20876e4f682a752a88c157c2521ee7a
Instruction ID: 9b73bf645e1938dbf2bd310cc06b289795f79b91475d494bc70968c617f2892a
Opcode Fuzzy Hash: 6b736a1c4937db1598340ea971ecd1f4f20876e4f682a752a88c157c2521ee7a
Instruction Fuzzy Hash: 15817871900209ABDF259FA8DD49FEE7BB9EF05704F1445A9F910B72A2DB308984CF60

Function 00BC0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
Part of subcall function 00BC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
Part of subcall function 00BC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
Part of subcall function 00BC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC0C00
GetLengthSid.ADVAPI32(?), ref: 00BC0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00BC0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC0C6D
GetLengthSid.ADVAPI32(?), ref: 00BC0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BC0C8C
HeapAlloc.KERNEL32(00000000), ref: 00BC0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC0CB4
CopySid.ADVAPI32(00000000), ref: 00BC0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D45
HeapFree.KERNEL32(00000000), ref: 00BC0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D55
HeapFree.KERNEL32(00000000), ref: 00BC0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D65
HeapFree.KERNEL32(00000000), ref: 00BC0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC0D78
HeapFree.KERNEL32(00000000), ref: 00BC0D7F

Part of subcall function 00BC1193: GetProcessHeap.KERNEL32(00000008,00BC0BB1,?,00000000,?,00BC0BB1,?), ref: 00BC11A1
Part of subcall function 00BC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BC0BB1,?), ref: 00BC11A8
Part of subcall function 00BC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BC0BB1,?), ref: 00BC11B7

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bee75659effae38db4e7c3d1bea5d66397d80bd5e63f545998313108dd802cc6
Instruction ID: 59750d439d50d0531e688b5e40e1e8dd2db01ed4be20587950c4ef35a9dbb9c0
Opcode Fuzzy Hash: bee75659effae38db4e7c3d1bea5d66397d80bd5e63f545998313108dd802cc6
Instruction Fuzzy Hash: 2E715C7290020AEBDF10EFA4DD44FAEBBB8FF04700F1446A9E915E7191DB71AA45CB60

Function 00BDEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BFCC08), ref: 00BDEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00BDEB37
GetClipboardData.USER32(0000000D), ref: 00BDEB43
CloseClipboard.USER32 ref: 00BDEB4F
GlobalLock.KERNEL32(00000000), ref: 00BDEB87
CloseClipboard.USER32 ref: 00BDEB91
GlobalUnlock.KERNEL32(00000000), ref: 00BDEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00BDEBC9
GetClipboardData.USER32(00000001), ref: 00BDEBD1
GlobalLock.KERNEL32(00000000), ref: 00BDEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00BDEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00BDEC38
GetClipboardData.USER32(0000000F), ref: 00BDEC44
GlobalLock.KERNEL32(00000000), ref: 00BDEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00BDEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BDEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BDECD2
GlobalUnlock.KERNEL32(00000000), ref: 00BDECF3
CountClipboardFormats.USER32 ref: 00BDED14
CloseClipboard.USER32 ref: 00BDED59

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: cc394dfb89e49c42bf0c498ad99efe7ad7c0482d89abcdc560db912d4f2f5805
Instruction ID: dba7c4042ec047c30d9c36c963c0e20cf1a280dc140eeed80a5a3810300274c7
Opcode Fuzzy Hash: cc394dfb89e49c42bf0c498ad99efe7ad7c0482d89abcdc560db912d4f2f5805
Instruction Fuzzy Hash: C6619F34204206AFD300EF24D985F3ABBE4EF84714F14459AF4669B3A1EF31E949CB62

Function 00BD698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD69BE
FindClose.KERNEL32(00000000), ref: 00BD6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BD6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BD6A75

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD6ADF

Strings

%4d, xrefs: 00BD6BB1
%03d, xrefs: 00BD6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00BD6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00BD6B6A
%02d, xrefs: 00BD6C00, 00BD6C0A, 00BD6C5A, 00BD6CAA, 00BD6CFA, 00BD6D4A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4b21bd78aa07d8724e9fd26a382377ec281be50a824e355eded18b7659227a1b
Instruction ID: 645c0ce30bd43c8367799652124b65aff21d8a1558a4cb0429122284c0f19f3c
Opcode Fuzzy Hash: 4b21bd78aa07d8724e9fd26a382377ec281be50a824e355eded18b7659227a1b
Instruction Fuzzy Hash: 2FD14171508340AFC714DBA4C981EABB7ECEF98704F04495EF589D7251EB78DA44CB62

Function 00BD9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BD9663
GetFileAttributesW.KERNEL32(?), ref: 00BD96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00BD96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00BD96D3
FindClose.KERNEL32(00000000), ref: 00BD96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00BD96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD974A
SetCurrentDirectoryW.KERNEL32(00C26B7C), ref: 00BD9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD9772
FindClose.KERNEL32(00000000), ref: 00BD977F
FindClose.KERNEL32(00000000), ref: 00BD978F

Strings

*.*, xrefs: 00BD96F5

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e154f76431f341df7f276a8585639fa8809e0614b46b093f81c3f73891a9f261
Instruction ID: 3802f2f8b2500d5cc324c8c7da13e69db583ed3d9f16f293c0f1980c314bbeae
Opcode Fuzzy Hash: e154f76431f341df7f276a8585639fa8809e0614b46b093f81c3f73891a9f261
Instruction Fuzzy Hash: 0331843254121D6ADF14AFB4ED49AEEBBECDF49321F1041A6E915E31A0EB30DD84CB64

Function 00BD979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BD97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00BD9819
FindClose.KERNEL32(00000000), ref: 00BD9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00BD9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD9890
SetCurrentDirectoryW.KERNEL32(00C26B7C), ref: 00BD98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD98B8
FindClose.KERNEL32(00000000), ref: 00BD98C5
FindClose.KERNEL32(00000000), ref: 00BD98D5

Part of subcall function 00BCDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BCDB00

Strings

*.*, xrefs: 00BD983B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4f0c41848de4fdc4b112b2ee1d7da99793cbe06622dfcd6ed0a76fe101179fc0
Instruction ID: 06acc43bdf9c90ac78a539326e5383b2bcfb94e433be96e5f94f689513cca1b1
Opcode Fuzzy Hash: 4f0c41848de4fdc4b112b2ee1d7da99793cbe06622dfcd6ed0a76fe101179fc0
Instruction Fuzzy Hash: 9A31953254061D6ADF14AFA4EC48AEEB7ECDF06760F1441A6E514A32A0EB31D984DB64

Function 00BCD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BCD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00BCD1DD
MoveFileW.KERNEL32(?,?), ref: 00BCD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BCD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCD237

Part of subcall function 00BCD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BCD21C,?,?), ref: 00BCD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00BCD253
FindClose.KERNEL32(00000000), ref: 00BCD264

Strings

\*.*, xrefs: 00BCD0CD, 00BCD0D6, 00BCD0EB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3dc20f966c8374256df98fe0bcef510557e3d722cecd442928a1ac7ee0b0b8be
Instruction ID: 0f9df49f36ff4b1f5c8a01381ecf26534b93cb55c5bfb3b56a8ab6d3cdeb75ae
Opcode Fuzzy Hash: 3dc20f966c8374256df98fe0bcef510557e3d722cecd442928a1ac7ee0b0b8be
Instruction Fuzzy Hash: A8614A3580110DAACF15EBE0DA92EEDBBF9EF55340F2441A9E40277191EB34AF09DB60

Function 00BDED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00BDED91
EmptyClipboard.USER32 ref: 00BDED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00BDEDAC
CloseClipboard.USER32 ref: 00BDEEA3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f427fa83fe91071ab2e059e678da7d8c57e802360ea937c0843102a7a87dac76
Instruction ID: dea957120ca64b81f18dd9d7defb68b477c078336b303ca6975bb761bcee941b
Opcode Fuzzy Hash: f427fa83fe91071ab2e059e678da7d8c57e802360ea937c0843102a7a87dac76
Instruction Fuzzy Hash: BF417E35604651EFE720EF15D888B29BBE5EF44318F14C09AE4698F762DB75EC81CB90

Function 00BCE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
Part of subcall function 00BC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
Part of subcall function 00BC16C3: GetLastError.KERNEL32 ref: 00BC174A

ExitWindowsEx.USER32(?,00000000), ref: 00BCE932

Strings

, xrefs: 00BCE920
@, xrefs: 00BCE925
, xrefs: 00BCE95C
SeShutdownPrivilege, xrefs: 00BCE902

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e14636d0395f863603d176309c70270b07fe734be64bf14527057eb69349e6c8
Instruction ID: c97b96fc8b158dc47dd9723b14ebd420d51ab259cfc1121c6ea16d1b9bd82622
Opcode Fuzzy Hash: e14636d0395f863603d176309c70270b07fe734be64bf14527057eb69349e6c8
Instruction Fuzzy Hash: BF012B32610215EBEB5426789C8AFBF72DCD714740F1449A9F823E30D2DAF09C808294

Function 00BE1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BE1276
WSAGetLastError.WSOCK32 ref: 00BE1283
bind.WSOCK32(00000000,?,00000010), ref: 00BE12BA
WSAGetLastError.WSOCK32 ref: 00BE12C5
closesocket.WSOCK32(00000000), ref: 00BE12F4
listen.WSOCK32(00000000,00000005), ref: 00BE1303
WSAGetLastError.WSOCK32 ref: 00BE130D
closesocket.WSOCK32(00000000), ref: 00BE133C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d17324ca274b8626ad967931a48bbd4487c17ef4bcc3cb969f28caeb4e3cbe1c
Instruction ID: 3e8fce062dff851083819e4196f7a228e2af60742076ff7a326a35dda1ef8cf3
Opcode Fuzzy Hash: d17324ca274b8626ad967931a48bbd4487c17ef4bcc3cb969f28caeb4e3cbe1c
Instruction Fuzzy Hash: 2E41AF31600140AFD710DF69C988B69BBE5EF46318F2885D8E9569F292C771EC85CBA1

Function 00B9B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9B9D4
_free.LIBCMT ref: 00B9B9F8
_free.LIBCMT ref: 00B9BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C03700), ref: 00B9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C31270,000000FF,?,0000003F,00000000,?), ref: 00B9BC36
_free.LIBCMT ref: 00B9BD4B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 98b07bab7bc53755d0d32c7a2496ff034d1182870a6655d934a332c8fd802cd8
Instruction ID: 2dfe8db50a76067e8526078fd07417971615579742c85864e5e6aca9b6134221
Opcode Fuzzy Hash: 98b07bab7bc53755d0d32c7a2496ff034d1182870a6655d934a332c8fd802cd8
Instruction Fuzzy Hash: 63C1E571904209AFDF24DF69AA41FAE7BF9EF41310F1841FAE89497291EB319E41C790

Function 00BCD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BCD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BCD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCD481
FindClose.KERNEL32(00000000), ref: 00BCD498
FindClose.KERNEL32(00000000), ref: 00BCD4A1

Strings

\*.*, xrefs: 00BCD3F2

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f5b92c669c34b2ef90edde96b91bc5cb7031018b8f50e207e9a313bbae6dfa6f
Instruction ID: b1f783e2c30c718a8c620bd41616648644d91c5edbb044200b0da55fa938b894
Opcode Fuzzy Hash: f5b92c669c34b2ef90edde96b91bc5cb7031018b8f50e207e9a313bbae6dfa6f
Instruction Fuzzy Hash: 45318E310083459BC304EF64D9919AFBBE8EE92304F444AADF4D593291EB34AA09DB63

Function 00B9E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B9E645

Strings

1#QNAN, xrefs: 00B9F84B
1#SNAN, xrefs: 00B9F844
1#INF, xrefs: 00B9F852
1#IND, xrefs: 00B9F83D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1f6c801120bc4068196bc4f341b3781c2bf94b493670789bbd9facb6a7258f06
Instruction ID: 02afb6e3410a8773bd34bb290138d20ae3f0a8f9b4045c9aaef4227ec5dd1c3f
Opcode Fuzzy Hash: 1f6c801120bc4068196bc4f341b3781c2bf94b493670789bbd9facb6a7258f06
Instruction Fuzzy Hash: 29C23771E086298BDF25CE289D807EAB7F5EB48315F1541FAD85DE7240E778AE818F40

Function 00BD648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BD64DC
CoInitialize.OLE32(00000000), ref: 00BD6639
CoCreateInstance.OLE32(00BFFCF8,00000000,00000001,00BFFB68,?), ref: 00BD6650
CoUninitialize.OLE32 ref: 00BD68D4

Strings

.lnk, xrefs: 00BD64BA, 00BD6524, 00BD65E0

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d97b45ed7f4cf8222e7fc2f071e79aea7633fa338d1480b31ef950b105641600
Instruction ID: 07a56de05b624f83f2ad96c9b11f03594df98d0e44711ade279a2f3ee5ec75e7
Opcode Fuzzy Hash: d97b45ed7f4cf8222e7fc2f071e79aea7633fa338d1480b31ef950b105641600
Instruction Fuzzy Hash: A9D14A71508205AFC304EF24C88196BB7E9FF94708F1049ADF5958B2A1EB71ED49CBA2

Function 00BE22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00BE22E8

Part of subcall function 00BDE4EC: GetWindowRect.USER32(?,?), ref: 00BDE504

GetDesktopWindow.USER32 ref: 00BE2312
GetWindowRect.USER32(00000000), ref: 00BE2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00BE2355
GetCursorPos.USER32(?), ref: 00BE2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BE23DF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f00da6cb8d2a56b6adc5fe803e1d1ac7bff0fba0b502da2a9a4e09db4d2a1700
Instruction ID: 96217207541fb0085d242e9517a1ce0bfddb6af096d6f299531065162ddbfde8
Opcode Fuzzy Hash: f00da6cb8d2a56b6adc5fe803e1d1ac7bff0fba0b502da2a9a4e09db4d2a1700
Instruction Fuzzy Hash: 0631DE72504345AFC720DF15C845B6BBBEAFB84310F000A1AF89497181DB34EA48CB92

Function 00BD9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00BD9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00BD9C8B

Part of subcall function 00BD3874: GetInputState.USER32 ref: 00BD38CB
Part of subcall function 00BD3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00BD9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00BD9C75

Strings

*.*, xrefs: 00BD9B5D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 20a8891374eee40daff57cdb3dd22483a7a475f564d4561b99190d0105c85c5e
Instruction ID: e1001d0b5d2441cb800aa8c685cc667bc2df7401fd477690f0c80b33cfe5a64d
Opcode Fuzzy Hash: 20a8891374eee40daff57cdb3dd22483a7a475f564d4561b99190d0105c85c5e
Instruction Fuzzy Hash: 8841537194420EAFDF15DF64C985AEEBBF8EF05310F244196E405A32A1EB319E84DF60

Function 00B7997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B79A4E
GetSysColor.USER32(0000000F), ref: 00B79B23
SetBkColor.GDI32(?,00000000), ref: 00B79B36

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 2f85edf201aefd4a0da9d3bbe58c7599857bc6eb50c97f8f61ffef9485ddabe4
Instruction ID: 450c7bb0fc26557edde3a87d9b36edff64e8fbdec65a79a283d1d9f94e9dd02d
Opcode Fuzzy Hash: 2f85edf201aefd4a0da9d3bbe58c7599857bc6eb50c97f8f61ffef9485ddabe4
Instruction Fuzzy Hash: 12A13570249508AFE728AA3D8C88FBF2ADDDB82300F2581C9F526C7695CE619D01D372

Function 00BE1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
Part of subcall function 00BE304E: _wcslen.LIBCMT ref: 00BE309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BE185D
WSAGetLastError.WSOCK32 ref: 00BE1884
bind.WSOCK32(00000000,?,00000010), ref: 00BE18DB
WSAGetLastError.WSOCK32 ref: 00BE18E6
closesocket.WSOCK32(00000000), ref: 00BE1915

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 40028d8a7ab03d57c936cf25a997caa3ccf2324adac135e3cf27094c4cebb671
Instruction ID: 4107e7c7a7625050523983100a3cd2d36c6cfa52e82e956699904ca042a66d36
Opcode Fuzzy Hash: 40028d8a7ab03d57c936cf25a997caa3ccf2324adac135e3cf27094c4cebb671
Instruction Fuzzy Hash: 5851B275A002009FD710AF24C896F7A77E5EB44718F1884D8F95A9F393CB75AD41CBA1

Function 00BF1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BF1CC0
IsWindowEnabled.USER32 ref: 00BF1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00BF1CDB
IsIconic.USER32 ref: 00BF1CE9
IsZoomed.USER32 ref: 00BF1CF7

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6cb9386cd688927c5374776248e4d4acaa63cf8094ae802c7efb03648bd7b6ab
Instruction ID: a6149eaed73ab25ff5986cc59745079c4f4789642eec689b994b0aa696b0c797
Opcode Fuzzy Hash: 6cb9386cd688927c5374776248e4d4acaa63cf8094ae802c7efb03648bd7b6ab
Instruction Fuzzy Hash: D72194317402189FD7208F1ED884B767BE5EF95314B1988A8E945CF351CB71DC4ACB90

Function 00B68060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00B683FA
VUUU, xrefs: 00BA5DF0
VUUU, xrefs: 00B683E8
ERCP, xrefs: 00B6813C
VUUU, xrefs: 00B6843C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 17c3ea6eebff8612e6cecf1db8f813f6f2e80c99084de3e5d91d88ee75a14ef2
Instruction ID: c9ab7858ab5eb2e8573949feb7aec456f32d056d485054044b06adb50f09d949
Opcode Fuzzy Hash: 17c3ea6eebff8612e6cecf1db8f813f6f2e80c99084de3e5d91d88ee75a14ef2
Instruction Fuzzy Hash: D8A24C71A0461ACBDF34CF58C8807ADB7F1FB55314F2482EAE855A7285EB749E81CB90

Function 00BCAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00BCAAAC
SetKeyboardState.USER32(00000080), ref: 00BCAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00BCAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00BCAB88

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 21fefd155f87ce77fd2557b2d601db2afd205a2994bd974327cc63bd2b64fe1b
Instruction ID: 55e9f83f6b31eea4c4731c1872742fff2bb012893d2a26f3d76b51b04e5aab66
Opcode Fuzzy Hash: 21fefd155f87ce77fd2557b2d601db2afd205a2994bd974327cc63bd2b64fe1b
Instruction Fuzzy Hash: 62310370A8020CAEFB359A68CC49FFA7BF6EB44328F04429EF581961D1D7758D85C762

Function 00BDCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00BDCE89
GetLastError.KERNEL32(?,00000000), ref: 00BDCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00BDCEFE

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e87f2be227b45ffa17166b39c9826c647f2b0907be33afa5723e937478b68bad
Instruction ID: 21b0e008b684adf23f8426bb1e659623be42867440a3cea896a703b0d12c34e8
Opcode Fuzzy Hash: e87f2be227b45ffa17166b39c9826c647f2b0907be33afa5723e937478b68bad
Instruction Fuzzy Hash: 632190B15003069BD720DFA5C985BA7BBFCEB50354F1044AEE546D3251EB70ED48DB54

Function 00BC8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BC82AA

Strings

|, xrefs: 00BC82DA
(, xrefs: 00BC82F0

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f95696fd881caecf679ef47ef65c0c55659f61ab679d22cf9bc9bbaa26fd90e8
Instruction ID: cd0937ec0e3f1f3286a2820bbc1b0a619a647fccecdb1b187942583335d17b91
Opcode Fuzzy Hash: f95696fd881caecf679ef47ef65c0c55659f61ab679d22cf9bc9bbaa26fd90e8
Instruction Fuzzy Hash: 8F322474A006059FCB28CF59C481E6AB7F0FF48710B15C5AEE49ADB7A1EB70E981CB54

Function 00BD5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00BD5D17
FindClose.KERNEL32(?), ref: 00BD5D5F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c711f76f8e63b474bdb49abf6b23ed448dd6ba090daef2eb3c19c15b85ffc261
Instruction ID: ec3bddc853572c6aa82c59373408f77287ef1108d6e5fa641f619e49f32609ad
Opcode Fuzzy Hash: c711f76f8e63b474bdb49abf6b23ed448dd6ba090daef2eb3c19c15b85ffc261
Instruction Fuzzy Hash: FD517A746046019FC724DF28C494EA6FBE5FF49314F1485AEE99A8B3A1DB30E944CBA1

Function 00B92622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B9271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B92724
UnhandledExceptionFilter.KERNEL32(?), ref: 00B92731

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2e67734d0c5f8905583287ec1a8b3a0d7881de191bfd74dfa6492463a3b61108
Instruction ID: e7ef3c6ae6936ef3fb0ba136dbb8ca79a1fdf124770022becde1f78f64052b17
Opcode Fuzzy Hash: 2e67734d0c5f8905583287ec1a8b3a0d7881de191bfd74dfa6492463a3b61108
Instruction Fuzzy Hash: 0D31C37491121CABCF21EF68D98879CBBF8AF08310F5041EAE41CA7260EB349F858F44

Function 00BD51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BD5238
SetErrorMode.KERNEL32(00000000), ref: 00BD52A1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9368520dde16f7e09904d6c840474d73db367784a7acdbfd7b66f90dab76bd01
Instruction ID: 45697b266bbed8c548c111d55dfade78b754bba9686d53372a7624593a33eacd
Opcode Fuzzy Hash: 9368520dde16f7e09904d6c840474d73db367784a7acdbfd7b66f90dab76bd01
Instruction Fuzzy Hash: E1314B75A10518DFDB00DF94D884EADBBF4FF48314F048099E849AB3A2DB35E85ACB90

Function 00BC16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B80668
Part of subcall function 00B7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B80685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
GetLastError.KERNEL32 ref: 00BC174A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: fc52958362253cfc320d2512253e0e8e3630de3787c37bfb27685295d033cf43
Instruction ID: 161fc92f2faf2b536b94c7cbbe043c59d0eecc097bce01653f0e23be54544a4c
Opcode Fuzzy Hash: fc52958362253cfc320d2512253e0e8e3630de3787c37bfb27685295d033cf43
Instruction Fuzzy Hash: 7B11C1B2400309FFD7289F68DCC6E7ABBF9EB04714B20856EE05693241EB70BC41CA24

Function 00BCD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BCD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00BCD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BCD650

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a5766de444cc56cd989766b8806b3c635839a49af4dd702b1f77664d45903e41
Instruction ID: 9e5570266ee72b423bb61c886a6d44300fa696df221290ef446ed8e4a9c2070c
Opcode Fuzzy Hash: a5766de444cc56cd989766b8806b3c635839a49af4dd702b1f77664d45903e41
Instruction Fuzzy Hash: B5113C75E05228BBDB108F999D45FAFBFBCEB45B50F108166F904E7290D6704A05CBA1

Function 00BC1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BC168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BC16A1
FreeSid.ADVAPI32(?), ref: 00BC16B1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6510ad21920b25c17a3586966737dd971d5461c647443d29eee9412f7fba026d
Instruction ID: 3f232d9a7ff76cb14c4eb3fc5a25eede0e6d63e213c429471962b5bf17516cad
Opcode Fuzzy Hash: 6510ad21920b25c17a3586966737dd971d5461c647443d29eee9412f7fba026d
Instruction Fuzzy Hash: F5F0F47195030DFBDB00DFF49D89EAEBBBCEB08604F5049A5E501E3181EB74AA449A54

Function 00B9C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00B9C36C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e128e1f389bcc41b9c310b5fdf9215fccc34bb889d4c3d9da22a93f189c0f217
Instruction ID: bae05c5bba825962a38c4b59ea0ea54665b9c29a2f83c7c3814354623f389113
Opcode Fuzzy Hash: e128e1f389bcc41b9c310b5fdf9215fccc34bb889d4c3d9da22a93f189c0f217
Instruction Fuzzy Hash: F3411572900219AFCF249FB9DC89EBB7BF8EB84354F5042B9F905D7281E6709D818B54

Function 00B8CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4721ac9dbf9fea738e2bb59410ca960eb5300eeea12fc41919ea2b5993f36347
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B9022CB1E002199BDF14DFA9C8806ADBBF1FF48314F2581AAD919E7390D730AE45CB94

Function 00BD68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD6918
FindClose.KERNEL32(00000000), ref: 00BD6961

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 80779c5cb204b44458d96e91ab2edaa95eb58ac5323192d59903469c3f739b81
Instruction ID: d47419fe1dfd89771b89c43f2edfd6683c0b0f06145a76083391112eff65c1aa
Opcode Fuzzy Hash: 80779c5cb204b44458d96e91ab2edaa95eb58ac5323192d59903469c3f739b81
Instruction Fuzzy Hash: AE1190316142019FC710DF69D498A26FBE5FF89328F14C69AE4698F3A2DB34EC45CB91

Function 00BD37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00BE4891,?,?,00000035,?), ref: 00BD37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00BE4891,?,?,00000035,?), ref: 00BD37F4

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9537781985b58d9603cca919668b029517a6def4bfdcca04c1f9b53a73e3751b
Instruction ID: f7dd40965790d0438766163b78336542935fb23030463a7b24e35a2fb23e8598
Opcode Fuzzy Hash: 9537781985b58d9603cca919668b029517a6def4bfdcca04c1f9b53a73e3751b
Instruction Fuzzy Hash: 54F0E5B06052296AE72017668C4DFEB7AEEEFC5B61F0001A6F509E3281D9709D44C6B1

Function 00BCB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BCB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00BCB270

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 43d0719f3b449608d8a51df73ebe5ac92bc84e0ff85bb18f9bbf62eb95cd17c2
Instruction ID: 0ae93a5626d214616b734dc8bc388fe724c16cd31942d97eb3047aa6f584c9c1
Opcode Fuzzy Hash: 43d0719f3b449608d8a51df73ebe5ac92bc84e0ff85bb18f9bbf62eb95cd17c2
Instruction Fuzzy Hash: 07F01D7180424DABDB059FA0C806BBE7FB4FF04305F008449F965AA191C7799655DF94

Function 00BC10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC11FC), ref: 00BC10D4
CloseHandle.KERNEL32(?,?,00BC11FC), ref: 00BC10E9

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d08a0c1357b3a8f18f2e7c813e3e3850c9c043c0b8ea24d97a97ea5f0a86787d
Instruction ID: 7d6c8ec21f93348cc5946b43f2e306c4a6eea0ffd5469ed64d777cbc0286bbf9
Opcode Fuzzy Hash: d08a0c1357b3a8f18f2e7c813e3e3850c9c043c0b8ea24d97a97ea5f0a86787d
Instruction Fuzzy Hash: 75E04F32008601AEE7252B21FC05E737BE9EF04310F10C86DF4A5814B1DF626CE0DB18

Function 00B6CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00BB0C40

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 40f227f19bfa0691a42293a1ea8a64afba0543fe71d97e21a5c6335e9fc8080a
Instruction ID: 8edb92843887b353c4df61863509edfd3f544504acb670ef815904ad75bec719
Opcode Fuzzy Hash: 40f227f19bfa0691a42293a1ea8a64afba0543fe71d97e21a5c6335e9fc8080a
Instruction Fuzzy Hash: D9326C70910218DBCF14EF94C895AFEBBF5FF04304F1480A9E846AB292D779AD49CB60

Function 00B9676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B96766,?,?,00000008,?,?,00B9FEFE,00000000), ref: 00B96998

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fc83978f4e01ac5b52c6acc852b88ac933473bedf58aada1dc2b9b8436b7e6d2
Instruction ID: f65479bcdbb78743831e29474c54f0773bfd80066aef1ccd05e3da0d7066a8af
Opcode Fuzzy Hash: fc83978f4e01ac5b52c6acc852b88ac933473bedf58aada1dc2b9b8436b7e6d2
Instruction Fuzzy Hash: ACB12A316106099FDB19CF28C48AB657BE0FF45364F2586A9E899CF2A2C735E991CB40

Function 00B7B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00BB851F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e9776c3998b694a09e8fdeaca5719c9fadbc8b6e6296276e6d12121792e32185
Instruction ID: 99e1a7ad360c0980c2858703d081952b4b75072a5b127634aeb6048db449e968
Opcode Fuzzy Hash: e9776c3998b694a09e8fdeaca5719c9fadbc8b6e6296276e6d12121792e32185
Instruction Fuzzy Hash: 1D124D759002299BCB24CF58C880BFEB7F9FF48710F14819AE859EB255DB749A81CF94

Function 00BDEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00BDEABD

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7417da719dc58e48402b8693fb79a68008ac890cf133fba011e17ae43278f7c7
Instruction ID: 4c8b3fe6e137eb95ac62165c05e32162644877b717a3381ee5248a37a609ee35
Opcode Fuzzy Hash: 7417da719dc58e48402b8693fb79a68008ac890cf133fba011e17ae43278f7c7
Instruction Fuzzy Hash: 64E048312102059FC710EF59D444D9AFBE9EF58760F008457FC49CB351DB74E8448B90

Function 00B809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00B803EE), ref: 00B809DA

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5a6572cd282b2e93488ca2bd0e7d4765ec021ab5c177012a07edf983bdc518da
Instruction ID: def020990cbccbadfad65955ebe5339d95faa1ba63fa53974f77520b3abc1cf9
Opcode Fuzzy Hash: 5a6572cd282b2e93488ca2bd0e7d4765ec021ab5c177012a07edf983bdc518da
Instruction Fuzzy Hash:

Function 00B8781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00B8798B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 604f760ad32741bf505ba461c7c7bc7f6228d3acbf347af20f6fff4c172bb15b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4F518A616CC605A7DB38B52A889DBBE27C9DB1234CF3805C9D886C72B2DE11DE01D352

Function 00B96DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44fd09c448c81afafb33fff2e3039d7b3a0cf142eacb3370665ec6a3e404a39
Instruction ID: 5a13b5ddf974f91503e75dd440b02b21623b00ea61894b510d65c8584e11fde2
Opcode Fuzzy Hash: b44fd09c448c81afafb33fff2e3039d7b3a0cf142eacb3370665ec6a3e404a39
Instruction Fuzzy Hash: D232F421D79F014DDB239634CC663396689AFB73C5F16D737E81AB5AA6EF29C4838100

Function 00B7CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f150253a4e41588b0850ca66d8436c7da024ee4c05e0ac20131962c7e3d9dbba
Instruction ID: 2bde3b97f17b8ea0c93448b7ee7501e1a4b22614d886172aec9aa2b28c45c5fa
Opcode Fuzzy Hash: f150253a4e41588b0850ca66d8436c7da024ee4c05e0ac20131962c7e3d9dbba
Instruction Fuzzy Hash: 9C32F231A001498BDF39CE29C4D06FD7FE1EB45300F2885EED4AA9B696D6B4DD81DB81

Function 00B67920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062ae6364c394ae1524d34f6d382a20072b246f85e6debca46c7b641081a69bc
Instruction ID: eecbcce771ee25419d8881cf7a261f61acaef317015b5abd9a2aba0ecd1c1405
Opcode Fuzzy Hash: 062ae6364c394ae1524d34f6d382a20072b246f85e6debca46c7b641081a69bc
Instruction Fuzzy Hash: 8922C470A0460ADFDF14CFA4C881BAEB3F5FF49304F2445A9E816A7291EB399E15CB54

Function 00B691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa249ef606ca8a91fb0331cfe42f5b03d97a48962478919bd21ba323bed4884
Instruction ID: 466ee13c983ec448c551b236999d771c207dbcf06ef7b9afba4681c5635c25ca
Opcode Fuzzy Hash: 4fa249ef606ca8a91fb0331cfe42f5b03d97a48962478919bd21ba323bed4884
Instruction Fuzzy Hash: 7602B5B0E04206EBDB14DF54D881BAEB7F5FF45300F1081A9E816DB291EB35EA15CB95

Function 00B81C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4b3f423485deba2eebd47f18c1bf825fc4af16a122c4a586f63b08f7aad1a92b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5791A97210A0A34ADB29563E847417DFFE5DA523A231A0FEDD4F2CA1E5FE10C956D720

Function 00B819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 07a9b698cfb56c44e8ffe69022fd542ad59dc8afed20e1310dba686c93151962
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2E91737220B0A34ADB2D567E857403DFFE99A923A131A0BDED4F2CA1E1FD24C556D720

Function 00B87A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed6ff0d3cd0f8e333a91cfe5c1f53391dade4d23e868ead03dc7b92c620f927
Instruction ID: 11e3f5d73547f9a1074e6ce5af8e18877ffdba934b1a2aca47af071af0a76c5b
Opcode Fuzzy Hash: 7ed6ff0d3cd0f8e333a91cfe5c1f53391dade4d23e868ead03dc7b92c620f927
Instruction Fuzzy Hash: AF6168212C830997DA38BA2889E5BBE63D6DF5170CF3409D9E842DB2B1DE21DE42C755

Function 00B87CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96350a68e69f0eddea575a7d9c68ad78eb9792f9b4b87a66244969c71e4124a4
Instruction ID: 7005ca1d47976b202de1766167191e09ddc0f15bbbd0a57e0944d4a0e770b88a
Opcode Fuzzy Hash: 96350a68e69f0eddea575a7d9c68ad78eb9792f9b4b87a66244969c71e4124a4
Instruction Fuzzy Hash: 36615BB16C870997DA38B9288895BBE23C8DF5274CF3419E9E842DB2B1DE11DD41C355

Function 00B81706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bf8dad1d7f97ef9aaf2f9ac9583bc0cfb09003e8f939591053aadc98d047b5ee
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 2581C87660A0A309DB2D523E847443EFFE59A923A131A0FDDD4F2CB1E1EE24C956D720

Function 00BD2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44208767a20d661adcb41b1e684fbc2e4b04c3c6e4811ee1f01e9ab9631e8ff7
Instruction ID: c29b38aafecd6e2ea1d4a80c6955f4f5108efe1755982a229d4796361fa04613
Opcode Fuzzy Hash: 44208767a20d661adcb41b1e684fbc2e4b04c3c6e4811ee1f01e9ab9631e8ff7
Instruction Fuzzy Hash: 5B21A8326205118BDB28CF79C92377EB3E5A764310F15866EE4A7C37D0DE35A904C740

Function 00BE2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BE2B30
DeleteObject.GDI32(00000000), ref: 00BE2B43
DestroyWindow.USER32 ref: 00BE2B52
GetDesktopWindow.USER32 ref: 00BE2B6D
GetWindowRect.USER32(00000000), ref: 00BE2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00BE2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00BE2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2CF8
GetClientRect.USER32(00000000,?), ref: 00BE2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BE2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D80
GlobalLock.KERNEL32(00000000), ref: 00BE2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D98
GlobalUnlock.KERNEL32(00000000), ref: 00BE2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2DA8
GlobalFree.KERNEL32(00000000), ref: 00BE2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BFFC38,00000000), ref: 00BE2DDB
GlobalFree.KERNEL32(00000000), ref: 00BE2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00BE2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00BE2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE303F

Strings

DISPLAY, xrefs: 00BE2EA2
AutoIt v3, xrefs: 00BE2CF2
static, xrefs: 00BE2D3A, 00BE2E91
, xrefs: 00BE2FC5

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 89d3d04d02b1e00ef6e8decc58f304c69c1fc6bb808d5b07acbd9ac0226c7a0d
Instruction ID: 1b438a38889c78148e88a17f93639f4ca3d1348b2382b67763b4f26f061333d0
Opcode Fuzzy Hash: 89d3d04d02b1e00ef6e8decc58f304c69c1fc6bb808d5b07acbd9ac0226c7a0d
Instruction Fuzzy Hash: 2F028A71910209AFDB14DFA4CD89EAE7BF9EF48710F048198F915AB2A1DB74ED41CB60

Function 00BF70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BF712F
GetSysColorBrush.USER32(0000000F), ref: 00BF7160
GetSysColor.USER32(0000000F), ref: 00BF716C
SetBkColor.GDI32(?,000000FF), ref: 00BF7186
SelectObject.GDI32(?,?), ref: 00BF7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF71C0
GetSysColor.USER32(00000010), ref: 00BF71C8
CreateSolidBrush.GDI32(00000000), ref: 00BF71CF
FrameRect.USER32(?,?,00000000), ref: 00BF71DE
DeleteObject.GDI32(00000000), ref: 00BF71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00BF7230
FillRect.USER32(?,?,?), ref: 00BF7262
GetWindowLongW.USER32(?,000000F0), ref: 00BF7284

Part of subcall function 00BF73E8: GetSysColor.USER32(00000012), ref: 00BF7421
Part of subcall function 00BF73E8: SetTextColor.GDI32(?,?), ref: 00BF7425
Part of subcall function 00BF73E8: GetSysColorBrush.USER32(0000000F), ref: 00BF743B
Part of subcall function 00BF73E8: GetSysColor.USER32(0000000F), ref: 00BF7446
Part of subcall function 00BF73E8: GetSysColor.USER32(00000011), ref: 00BF7463
Part of subcall function 00BF73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BF7471
Part of subcall function 00BF73E8: SelectObject.GDI32(?,00000000), ref: 00BF7482
Part of subcall function 00BF73E8: SetBkColor.GDI32(?,00000000), ref: 00BF748B
Part of subcall function 00BF73E8: SelectObject.GDI32(?,?), ref: 00BF7498
Part of subcall function 00BF73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00BF74B7
Part of subcall function 00BF73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BF74CE
Part of subcall function 00BF73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00BF74DB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 0283cb2ba6c43775028ce1c9d29c8c3e50d9ba7b6edb861dd3060d0d9c6dadda
Instruction ID: 49fbb7c9ae34901ee1dcfd7f4c2abcfe8a998779082d7de587ac5428db4a6278
Opcode Fuzzy Hash: 0283cb2ba6c43775028ce1c9d29c8c3e50d9ba7b6edb861dd3060d0d9c6dadda
Instruction Fuzzy Hash: F3A18F72008309AFD7009F64DD49E7A7BE9FB49320F100A59FA62A71A1DB71E989CB51

Function 00B78D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B78E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BB6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BB6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BB6F43

Part of subcall function 00B78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B78BE8,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78FC5

SendMessageW.USER32(?,00001053), ref: 00BB6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BB6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BB6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BB6FB7

Strings

0, xrefs: 00BB6DCF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f0dcaa88e47453d8e7726ec0ab2ccb31165e961e7636bc1ccf19d66fb19c7f8c
Instruction ID: ea83692bbbb5e1444c95a915b3b254eff2d659dcf1b492109011a1ce34e96c4c
Opcode Fuzzy Hash: f0dcaa88e47453d8e7726ec0ab2ccb31165e961e7636bc1ccf19d66fb19c7f8c
Instruction Fuzzy Hash: 54129C30605201EFDB25CF24C998BB9BBE5FB44310F1884A9E499CB261CB75EC92DB51

Function 00BE2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BE273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BE286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00BE28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00BE28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00BE2900
GetClientRect.USER32(00000000,?), ref: 00BE290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00BE2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BE2964
GetStockObject.GDI32(00000011), ref: 00BE2974
SelectObject.GDI32(00000000,00000000), ref: 00BE2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00BE2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE2991
DeleteDC.GDI32(00000000), ref: 00BE299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BE29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BE29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00BE2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BE2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BE2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00BE2A77
GetStockObject.GDI32(00000011), ref: 00BE2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BE2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00BE2A97

Strings

DISPLAY, xrefs: 00BE295A
AutoIt v3, xrefs: 00BE28F8
static, xrefs: 00BE294F, 00BE2A71
msctls_progress32, xrefs: 00BE2A13

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 71ec643c22d8c21b1fd7f63c1c18ad8ca0b8b6afb18140050e49b7706ef0e5e8
Instruction ID: 4ac21d7c651fd518bf3c08487b9a7635407a995dfc0b80e9eb73b99a156367a1
Opcode Fuzzy Hash: 71ec643c22d8c21b1fd7f63c1c18ad8ca0b8b6afb18140050e49b7706ef0e5e8
Instruction Fuzzy Hash: AFB16E71A50219AFEB14DF68CD89FAE7BB9EB08710F004155F915E72A0DB74ED40CBA0

Function 00BD4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD4AED
GetDriveTypeW.KERNEL32(?,00BFCB68,?,\\.\,00BFCC08), ref: 00BD4BCA
SetErrorMode.KERNEL32(00000000,00BFCB68,?,\\.\,00BFCC08), ref: 00BD4D36

Strings

SATA, xrefs: 00BD4CD0
Removable, xrefs: 00BD4C10, 00BD4C15
iSCSI, xrefs: 00BD4CC2
Network, xrefs: 00BD4C02
\\.\, xrefs: 00BD4B3F
FileBackedVirtual, xrefs: 00BD4CEC
CDROM, xrefs: 00BD4BFB
USB, xrefs: 00BD4CB4
SCSI, xrefs: 00BD4C8A
RAMDisk, xrefs: 00BD4BF4
SAS, xrefs: 00BD4CC9
Virtual, xrefs: 00BD4CE5
MMC, xrefs: 00BD4CDE
RAID, xrefs: 00BD4CBB
Unknown, xrefs: 00BD4BED, 00BD4C83
Fibre, xrefs: 00BD4CAD
PhysicalDrive, xrefs: 00BD4B76
SSD, xrefs: 00BD4C4A
ATAPI, xrefs: 00BD4C91
Fixed, xrefs: 00BD4C09
SSA, xrefs: 00BD4CA6
ATA, xrefs: 00BD4C98
1394, xrefs: 00BD4C9F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5bc4a12107a534d784fe816151d3706052793618261a6d90674fe61d7100e8d8
Instruction ID: 9db6e8ab3eb797e380fe12a45fa931bcad339738035de1ee020b085145006a47
Opcode Fuzzy Hash: 5bc4a12107a534d784fe816151d3706052793618261a6d90674fe61d7100e8d8
Instruction Fuzzy Hash: A561AF30616109ABCB04DF24DAC1978F7F1EB44304B2884E7F806ABB91EB35ED41DB51

Function 00BF73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00BF7421
SetTextColor.GDI32(?,?), ref: 00BF7425
GetSysColorBrush.USER32(0000000F), ref: 00BF743B
GetSysColor.USER32(0000000F), ref: 00BF7446
CreateSolidBrush.GDI32(?), ref: 00BF744B
GetSysColor.USER32(00000011), ref: 00BF7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BF7471
SelectObject.GDI32(?,00000000), ref: 00BF7482
SetBkColor.GDI32(?,00000000), ref: 00BF748B
SelectObject.GDI32(?,?), ref: 00BF7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BF74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00BF74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BF7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00BF7572
DrawFocusRect.USER32(?,?), ref: 00BF757D
GetSysColor.USER32(00000011), ref: 00BF758E
SetTextColor.GDI32(?,00000000), ref: 00BF7596
DrawTextW.USER32(?,00BF70F5,000000FF,?,00000000), ref: 00BF75A8
SelectObject.GDI32(?,?), ref: 00BF75BF
DeleteObject.GDI32(?), ref: 00BF75CA
SelectObject.GDI32(?,?), ref: 00BF75D0
DeleteObject.GDI32(?), ref: 00BF75D5
SetTextColor.GDI32(?,?), ref: 00BF75DB
SetBkColor.GDI32(?,?), ref: 00BF75E5

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 60d10a6a003312031b846da59089f6d1d677ad8102ac04d4aba1e6a4ff920616
Instruction ID: c76f206bd528cd12ae29fb2638edbaa5cfd9196399fd904d37605b2b543f0ed1
Opcode Fuzzy Hash: 60d10a6a003312031b846da59089f6d1d677ad8102ac04d4aba1e6a4ff920616
Instruction Fuzzy Hash: 01615C7290421CAFDB019FA4DD49EEEBFB9EB08320F114155FA15BB2A1DB709980CB90

Function 00BF0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF1128
GetDesktopWindow.USER32 ref: 00BF113D
GetWindowRect.USER32(00000000), ref: 00BF1144
GetWindowLongW.USER32(?,000000F0), ref: 00BF1199
DestroyWindow.USER32(?), ref: 00BF11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BF11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BF121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00BF1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00BF1245
IsWindowVisible.USER32(00000000), ref: 00BF12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00BF12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00BF12D0
GetWindowRect.USER32(00000000,?), ref: 00BF12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00BF130E
GetMonitorInfoW.USER32(00000000,?), ref: 00BF1328
CopyRect.USER32(?,?), ref: 00BF133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00BF13AA

Strings

(, xrefs: 00BF131B
0, xrefs: 00BF10D3
tooltips_class32, xrefs: 00BF11E6

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 090093980d1167743b301287aa3c8d20d0fffd08811173beed319fe61046f6fc
Instruction ID: f7c5db6dd904ab3d7eb41b8dd0d7962df1a5fc0471954f771a5abce72e38f9fc
Opcode Fuzzy Hash: 090093980d1167743b301287aa3c8d20d0fffd08811173beed319fe61046f6fc
Instruction Fuzzy Hash: C0B16A71608345EFD704DF68C984B6ABBE4EF84750F008D5CFA99AB261DB71E848CB91

Function 00BF0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BF02E5
_wcslen.LIBCMT ref: 00BF031F
_wcslen.LIBCMT ref: 00BF0389
_wcslen.LIBCMT ref: 00BF03F1
_wcslen.LIBCMT ref: 00BF0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BF04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BF0504

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

Part of subcall function 00BC223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BC2258
Part of subcall function 00BC223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BC228A

Strings

SELECTINVERT, xrefs: 00BF057E
SELECTALL, xrefs: 00BF0515
GETSELECTEDCOUNT, xrefs: 00BF0470, 00BF048B
FINDITEM, xrefs: 00BF0627
VIEWCHANGE, xrefs: 00BF0675
SELECTCLEAR, xrefs: 00BF052D
GETTEXT, xrefs: 00BF03EC, 00BF0407
GETSUBITEMCOUNT, xrefs: 00BF0384, 00BF039F
SELECT, xrefs: 00BF0548
ISSELECTED, xrefs: 00BF04DD
DESELECT, xrefs: 00BF059C
GETITEMCOUNT, xrefs: 00BF0316, 00BF0337
GETSELECTED, xrefs: 00BF05E1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 021274a3ac8b856c91ebbada0bcc08ffb1e50210b7f8ff459f316f6f2e9baaa9
Instruction ID: dc5822af7e73e2b60c7665af73607aedaa56ad8c5222b232f10bf309008eaec5
Opcode Fuzzy Hash: 021274a3ac8b856c91ebbada0bcc08ffb1e50210b7f8ff459f316f6f2e9baaa9
Instruction Fuzzy Hash: A9E1B1312282059FCB14EF24C59093AB7E6FF98314B1446ADF9969B7B2DB30ED49CB41

Function 00B78891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B78968
GetSystemMetrics.USER32(00000007), ref: 00B78970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B7899B
GetSystemMetrics.USER32(00000008), ref: 00B789A3
GetSystemMetrics.USER32(00000004), ref: 00B789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B78A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B78A3C
GetClientRect.USER32(00000000,000000FF), ref: 00B78A5A
GetStockObject.GDI32(00000011), ref: 00B78A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B78A81

Part of subcall function 00B7912D: GetCursorPos.USER32(?), ref: 00B79141
Part of subcall function 00B7912D: ScreenToClient.USER32(00000000,?), ref: 00B7915E
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000001), ref: 00B79183
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000002), ref: 00B7919D

SetTimer.USER32(00000000,00000000,00000028,00B790FC), ref: 00B78AA8

Strings

AutoIt v3 GUI, xrefs: 00B78A20
InitializeCriticalSectionEx, xrefs: 00BB67BA

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$InitializeCriticalSectionEx
API String ID: 1458621304-260769550
Opcode ID: 23c54978d2f7cf3327e61521b44e5ddf47d253c425a1aeec5f271bcab0a45423
Instruction ID: 52d852041fc21f473dfb0a22a678a7ca8fed55448d428f3e5a61b9741d040ecd
Opcode Fuzzy Hash: 23c54978d2f7cf3327e61521b44e5ddf47d253c425a1aeec5f271bcab0a45423
Instruction Fuzzy Hash: DDB16B71A00209AFDB14DFA8CD89BFE3BF5FB48314F158169FA19A7290DB74A840CB51

Function 00BC0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
Part of subcall function 00BC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
Part of subcall function 00BC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
Part of subcall function 00BC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC0E29
GetLengthSid.ADVAPI32(?), ref: 00BC0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00BC0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC0E96
GetLengthSid.ADVAPI32(?), ref: 00BC0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BC0EB5
HeapAlloc.KERNEL32(00000000), ref: 00BC0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC0EDD
CopySid.ADVAPI32(00000000), ref: 00BC0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F6E
HeapFree.KERNEL32(00000000), ref: 00BC0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F7E
HeapFree.KERNEL32(00000000), ref: 00BC0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F8E
HeapFree.KERNEL32(00000000), ref: 00BC0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC0FA1
HeapFree.KERNEL32(00000000), ref: 00BC0FA8

Part of subcall function 00BC1193: GetProcessHeap.KERNEL32(00000008,00BC0BB1,?,00000000,?,00BC0BB1,?), ref: 00BC11A1
Part of subcall function 00BC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BC0BB1,?), ref: 00BC11A8
Part of subcall function 00BC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BC0BB1,?), ref: 00BC11B7

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 98cf8f45d0ef1077563c95b4a98f4ed6ab9b33ae5ea1dadbbb3e7e0b948ad4e3
Instruction ID: 7a20f3b2ac873d0bc491dfa7fc784f56200633f1154fb1feef9224be3ee7a670
Opcode Fuzzy Hash: 98cf8f45d0ef1077563c95b4a98f4ed6ab9b33ae5ea1dadbbb3e7e0b948ad4e3
Instruction Fuzzy Hash: C5715A7290020AEBDF20AFA4DD48FAEBBB8FF05300F144199F919E7191DB319A55CB60

Function 00BEC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BFCC08,00000000,?,00000000,?,?), ref: 00BEC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BEC5A4
_wcslen.LIBCMT ref: 00BEC5F4
_wcslen.LIBCMT ref: 00BEC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00BEC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00BEC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00BEC84D
RegCloseKey.ADVAPI32(?), ref: 00BEC881
RegCloseKey.ADVAPI32(00000000), ref: 00BEC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00BEC960

Strings

REG_SZ, xrefs: 00BEC644
REG_MULTI_SZ, xrefs: 00BEC6F5
REG_DWORD, xrefs: 00BEC804
REG_BINARY, xrefs: 00BEC913
REG_QWORD, xrefs: 00BEC8C3
REG_EXPAND_SZ, xrefs: 00BEC5CD

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 24c1cc669144b52e31b878b2f060af2951adee9f71aecd811a753d696157bc09
Instruction ID: 8a9d08f2768952418015cc9c743438067ebfff396f8616379787dd996bcf813c
Opcode Fuzzy Hash: 24c1cc669144b52e31b878b2f060af2951adee9f71aecd811a753d696157bc09
Instruction Fuzzy Hash: 25127A356042419FD714DF25C891A2ABBE5FF88714F14889DF88A9B3A2DB35FD42CB81

Function 00BF091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BF09C6
_wcslen.LIBCMT ref: 00BF0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF0A54
_wcslen.LIBCMT ref: 00BF0A8A
_wcslen.LIBCMT ref: 00BF0B06
_wcslen.LIBCMT ref: 00BF0B81

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

Part of subcall function 00BC2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BC2BFA

Strings

UNCHECK, xrefs: 00BF0D3E
GETTEXT, xrefs: 00BF0C97
COLLAPSE, xrefs: 00BF0B01, 00BF0B1C
EXPAND, xrefs: 00BF0BF8
EXISTS, xrefs: 00BF0B7C, 00BF0B97
CHECK, xrefs: 00BF0A85, 00BF0AA0
ISCHECKED, xrefs: 00BF0CE1
SELECT, xrefs: 00BF0D11
GETSELECTED, xrefs: 00BF0C4E
GETITEMCOUNT, xrefs: 00BF0C1E
GETTOTALCOUNT, xrefs: 00BF09F2, 00BF0A17

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4e15270eccbe3f0fa94402fc30cab8318d735c1ba942c9d519daf50e24400053
Instruction ID: f490d7ab301cce3437eb8fd7ac08333ec8b17bec0a3aee3979abfe7d53d3c590
Opcode Fuzzy Hash: 4e15270eccbe3f0fa94402fc30cab8318d735c1ba942c9d519daf50e24400053
Instruction Fuzzy Hash: C8E17B352183058FCB14EF24C49093AB7E1FF98314B14899DF99A9B762DB30ED49CB81

Function 00BEC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
_wcslen.LIBCMT ref: 00BEC9F1
_wcslen.LIBCMT ref: 00BECA68
_wcslen.LIBCMT ref: 00BECA9E
_wcslen.LIBCMT ref: 00BECAF9
_wcslen.LIBCMT ref: 00BECB2F
_wcslen.LIBCMT ref: 00BECB7F

Strings

HKCR, xrefs: 00BECB29, 00BECB2E
HKEY_CURRENT_CONFIG, xrefs: 00BECB79, 00BECB7E
HKEY_LOCAL_MACHINE, xrefs: 00BECA62, 00BECA67
HKLM, xrefs: 00BECA98, 00BECA9D
HKEY_USERS, xrefs: 00BECBDF
HKEY_CLASSES_ROOT, xrefs: 00BECAF3, 00BECAF8
HKCU, xrefs: 00BECBCE
HKU, xrefs: 00BECBF0
HKCC, xrefs: 00BECBAC
HKEY_CURRENT_USER, xrefs: 00BECBBD

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2bc31d8413435a1fd8d8b191700c593ab2944a44dae209574e88ed9d509e6d3d
Instruction ID: bc92e83746bbf64929cedc6a4046ffa3949817970c9f381fe283d88a96c409cf
Opcode Fuzzy Hash: 2bc31d8413435a1fd8d8b191700c593ab2944a44dae209574e88ed9d509e6d3d
Instruction Fuzzy Hash: 707108326001AA8BCF20DE7ED9815BE3BE5EF60754B2512B4F86697294E735CD46C390

Function 00BF833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BF835A
_wcslen.LIBCMT ref: 00BF836E
_wcslen.LIBCMT ref: 00BF8391
_wcslen.LIBCMT ref: 00BF83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BF83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BF5BF2), ref: 00BF844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BF8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BF84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BF8501
FreeLibrary.KERNEL32(?), ref: 00BF850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BF851D
DestroyIcon.USER32(?,?,?,?,?,00BF5BF2), ref: 00BF852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BF8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BF8555

Strings

.dll, xrefs: 00BF83AB
.exe, xrefs: 00BF8388
.icl, xrefs: 00BF8368

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f040236962922eca4da5667498301e0a72ff1c61973bff19965b731efa8aca1d
Instruction ID: 5e4449e03b03f5067fc948f130650cf302e73759625b37c598727ca7338a54b1
Opcode Fuzzy Hash: f040236962922eca4da5667498301e0a72ff1c61973bff19965b731efa8aca1d
Instruction Fuzzy Hash: 9561DE7150021ABEEB14DF64CC82BBE7BA8FB14710F10468AF915DB1E1DF74A994CBA0

Function 00B67778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00B67847
#requireadmin, xrefs: 00B677FF
Unterminated group of comments, xrefs: 00BA528C
", xrefs: 00BA5153
#notrayicon, xrefs: 00B677E7
#ce, xrefs: 00B678ED
#OnAutoItStartRegister, xrefs: 00B67817
Bad directive syntax error, xrefs: 00BA519A
#cs, xrefs: 00B67873, 00B678C5
#comments-end, xrefs: 00B678D9
#include-once, xrefs: 00B6782F
', xrefs: 00BA5169
#comments-start, xrefs: 00B6785F, 00B678B1
Cannot parse #include, xrefs: 00BA5279
#pragma compile, xrefs: 00B677D3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 597f6fb5565c2e1bd779530df34c76e38a1b7b808e8335073f46556cb2443515
Instruction ID: cc20e234a9ea55484877ed2fb71a39c5150e8d31881617ab6e667514f6f7cfa1
Opcode Fuzzy Hash: 597f6fb5565c2e1bd779530df34c76e38a1b7b808e8335073f46556cb2443515
Instruction Fuzzy Hash: 7381C171684209ABDB20AF64CC82FBE37E8EF15304F1440E4F905AB1A6EB749A45C7A5

Function 00BC5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BC5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BC5A40
SetWindowTextW.USER32(?,?), ref: 00BC5A57
GetDlgItem.USER32(?,000003EA), ref: 00BC5A6C
SetWindowTextW.USER32(00000000,?), ref: 00BC5A72
GetDlgItem.USER32(?,000003E9), ref: 00BC5A82
SetWindowTextW.USER32(00000000,?), ref: 00BC5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BC5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BC5AC3
GetWindowRect.USER32(?,?), ref: 00BC5ACC
_wcslen.LIBCMT ref: 00BC5B33
SetWindowTextW.USER32(?,?), ref: 00BC5B6F
GetDesktopWindow.USER32 ref: 00BC5B75
GetWindowRect.USER32(00000000), ref: 00BC5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00BC5BD3
GetClientRect.USER32(?,?), ref: 00BC5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00BC5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BC5C2F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f09551332adb77909ce0735343e5b1b93c8d9e7fd68cb77d35e1ba2e81b418bb
Instruction ID: dcb54ff35199f2f16dffb254b4a92b8fc6a62a5c6702f7f767401f369ed094bc
Opcode Fuzzy Hash: f09551332adb77909ce0735343e5b1b93c8d9e7fd68cb77d35e1ba2e81b418bb
Instruction Fuzzy Hash: 22711A31900A09AFDB20DFA9CE85FAEBBF5EB48704F10455CE546A35A0DB75BD84CB50

Function 00B800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B800C6

Part of subcall function 00B800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C3070C,00000FA0,AF37C674,?,?,?,?,00BA23B3,000000FF), ref: 00B8011C
Part of subcall function 00B800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BA23B3,000000FF), ref: 00B80127
Part of subcall function 00B800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BA23B3,000000FF), ref: 00B80138
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B8014E
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B8015C
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B8016A
Part of subcall function 00B800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B80195
Part of subcall function 00B800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B801A0

___scrt_fastfail.LIBCMT ref: 00B800E7

Part of subcall function 00B800A3: __onexit.LIBCMT ref: 00B800A9

Strings

WakeAllConditionVariable, xrefs: 00B80162
SleepConditionVariableCS, xrefs: 00B80154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B80122
kernel32.dll, xrefs: 00B80133
InitializeConditionVariable, xrefs: 00B80148

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c21aaf78ce44e191dcbc0a2b737ce8746933ad68c9e349c73c79cdc054c20432
Instruction ID: 97a3f3e0a058ea0c0185dbb1f912e6f3a4c54a10533cd9c54530bc026c974fd9
Opcode Fuzzy Hash: c21aaf78ce44e191dcbc0a2b737ce8746933ad68c9e349c73c79cdc054c20432
Instruction Fuzzy Hash: 5521F53365470A6BE7507B64AC49B3D76D4DF06BA0F1001B9F905B32B1DF609844CB94

Function 00BC30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC318D
_wcslen.LIBCMT ref: 00BC31F8

Strings

CLASSNN, xrefs: 00BC31F3, 00BC3204
TEXT, xrefs: 00BC347C
REGEXPCLASS, xrefs: 00BC3255, 00BC3266
CLASS, xrefs: 00BC3188, 00BC31A5
NAME, xrefs: 00BC3335, 00BC3346
INSTANCE, xrefs: 00BC3453

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1a7770dac8fb02493774def20a0ca9ef1f7690b2ba329a5c8ffaecf756ea31f8
Instruction ID: c728bf71f633bb521140366b49d2d2fff210435b034310894740503f688535df
Opcode Fuzzy Hash: 1a7770dac8fb02493774def20a0ca9ef1f7690b2ba329a5c8ffaecf756ea31f8
Instruction Fuzzy Hash: BCE18331A005169BCF189FA8C491BEEBBE4FF54B10F94C1ADE456F7250DB30AE859790

Function 00BD44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00BFCC08), ref: 00BD4527
_wcslen.LIBCMT ref: 00BD453B
_wcslen.LIBCMT ref: 00BD4599
_wcslen.LIBCMT ref: 00BD45F4
_wcslen.LIBCMT ref: 00BD463F
_wcslen.LIBCMT ref: 00BD46A7

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

GetDriveTypeW.KERNEL32(?,00C26BF0,00000061), ref: 00BD4743

Strings

ramdisk, xrefs: 00BD46F1
all, xrefs: 00BD4531, 00BD4536
network, xrefs: 00BD469D, 00BD46A2
fixed, xrefs: 00BD4635, 00BD463A
removable, xrefs: 00BD45EA, 00BD45EF
cdrom, xrefs: 00BD458F, 00BD4594
unknown, xrefs: 00BD4708

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 39ebfdd4f920b1277b2f9568e87173ab5401172b1ae70dd98311046e38617c37
Instruction ID: d8e071243d06fe6be01191e69bbe35beeb4de87875279bc18ddfdf595d76c00d
Opcode Fuzzy Hash: 39ebfdd4f920b1277b2f9568e87173ab5401172b1ae70dd98311046e38617c37
Instruction Fuzzy Hash: 2FB1AD716083029FC710DF28D890A6AF7E5EFA5764F5049AEF49A87391E730D844CBA2

Function 00B6326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C31990), ref: 00BA2F8D
GetMenuItemCount.USER32(00C31990), ref: 00BA303D
GetCursorPos.USER32(?), ref: 00BA3081
SetForegroundWindow.USER32(00000000), ref: 00BA308A
TrackPopupMenuEx.USER32(00C31990,00000000,?,00000000,00000000,00000000), ref: 00BA309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BA30A9

Strings

0, xrefs: 00B6327D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 537696858a3312442109e1f456c718f6dbd4d4911bc856630c932233fc2443df
Instruction ID: 4c277ed7251c99af30be6711ad1839dccce98079379d6e21d775da293be8a8c1
Opcode Fuzzy Hash: 537696858a3312442109e1f456c718f6dbd4d4911bc856630c932233fc2443df
Instruction Fuzzy Hash: 39711970648205BEEB258F28CC89FAABFE4FF05724F204296F5156B1E0C7B5A954DB90

Function 00BF6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00BF6DEB

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BF6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BF6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF6E94
DestroyWindow.USER32(?), ref: 00BF6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B60000,00000000), ref: 00BF6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF6EFD
GetDesktopWindow.USER32 ref: 00BF6F16
GetWindowRect.USER32(00000000), ref: 00BF6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BF6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BF6F4D

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

Strings

0, xrefs: 00BF6D98
tooltips_class32, xrefs: 00BF6E58, 00BF6EDD

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5825ca4e6dc1906f70b43e1e0cc19739df25e43491880eb0448800ff752a4a35
Instruction ID: b36a28470a82cccfd5bbdafd4fae0b6cc43c1dfe2d9774cff19ca81e3649ed62
Opcode Fuzzy Hash: 5825ca4e6dc1906f70b43e1e0cc19739df25e43491880eb0448800ff752a4a35
Instruction Fuzzy Hash: 8F715675104348AFDB21CF18D844BBABBE9FB89304F08495DFA9987261CB70AD4ADB11

Function 00BF911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DragQueryPoint.SHELL32(?,?), ref: 00BF9147

Part of subcall function 00BF7674: ClientToScreen.USER32(?,?), ref: 00BF769A
Part of subcall function 00BF7674: GetWindowRect.USER32(?,?), ref: 00BF7710
Part of subcall function 00BF7674: PtInRect.USER32(?,?,00BF8B89), ref: 00BF7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00BF91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BF91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BF91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BF9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00BF923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00BF9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00BF9277
DragFinish.SHELL32(?), ref: 00BF927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BF9371

Strings

@GUI_DRAGID, xrefs: 00BF92E9
@GUI_DROPID, xrefs: 00BF929E
@GUI_DRAGFILE, xrefs: 00BF9320

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86145720abbf3c85a2524ea132f1030ee2a0606ade79eb18700002888b75b028
Instruction ID: 5f5594649756cc1d1396499d132d371f2fee20a2ee0116df104b3d3219a25de2
Opcode Fuzzy Hash: 86145720abbf3c85a2524ea132f1030ee2a0606ade79eb18700002888b75b028
Instruction Fuzzy Hash: 06617B71108305AFD701DF64DD85EAFBBE8EF88750F00096EF695931A1DB709A49CB52

Function 00BDC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BDC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BDC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BDC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BDC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00BDC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BDC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BDC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BDC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BDC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BDC5F0
InternetCloseHandle.WININET(00000000), ref: 00BDC5FB

Strings

, xrefs: 00BDC575

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 24f5551f418558914bec63cf352f7d6a182e3702bf5d553c08a59fba3a57b094
Instruction ID: bdde50084b292b0f1f387848384df2a3f0bfe00ac6dbbc5476fd8b5518f0c1e9
Opcode Fuzzy Hash: 24f5551f418558914bec63cf352f7d6a182e3702bf5d553c08a59fba3a57b094
Instruction Fuzzy Hash: EF515AB150020ABFDB219F60D989ABBBFFCFB18744F00445AF94697210EB30E944DB60

Function 00BF856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00BF8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85BA
GlobalLock.KERNEL32(00000000), ref: 00BF85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85D7
GlobalUnlock.KERNEL32(00000000), ref: 00BF85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00BFFC38,?), ref: 00BF8611
GlobalFree.KERNEL32(00000000), ref: 00BF8621
GetObjectW.GDI32(?,00000018,?), ref: 00BF8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00BF8671
DeleteObject.GDI32(?), ref: 00BF8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BF86AF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cab483ad0dccfbf5e499a7dfdc73b44ddb55e0287f320b009edf86d2459080f7
Instruction ID: cf8d626c54c4239c89a7fe56677ce23052ba4648d55510651f6377527985e75a
Opcode Fuzzy Hash: cab483ad0dccfbf5e499a7dfdc73b44ddb55e0287f320b009edf86d2459080f7
Instruction Fuzzy Hash: FC41F875600208BFDB11DFA5DD88EBA7BB8EF89B55F104058F905EB260DB309D45DB60

Function 00BD14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00BD1502
VariantCopy.OLEAUT32(?,?), ref: 00BD150B
VariantClear.OLEAUT32(?), ref: 00BD1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00BD15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00BD1657
VariantInit.OLEAUT32(?), ref: 00BD1708
SysFreeString.OLEAUT32(?), ref: 00BD178C
VariantClear.OLEAUT32(?), ref: 00BD17D8
VariantClear.OLEAUT32(?), ref: 00BD17E7
VariantInit.OLEAUT32(00000000), ref: 00BD1823

Strings

Default, xrefs: 00BD16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00BD1625

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 093e82e2a1f1d6e7f6c2216970d9496194db158b5667c34147b9476a53e007a7
Instruction ID: b010d487acfb64268e93db804ca526d8e3279e9cc726d059d92d5c4802d7b0a7
Opcode Fuzzy Hash: 093e82e2a1f1d6e7f6c2216970d9496194db158b5667c34147b9476a53e007a7
Instruction Fuzzy Hash: B6D1CC71A00505EBDB109F69E885B79F7F5FF45704F1088E6E406AB290EB38EC45DB62

Function 00BEB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00BEB80A
RegCloseKey.ADVAPI32(?), ref: 00BEB87E
RegCloseKey.ADVAPI32(?), ref: 00BEB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00BEB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BEB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00BEB922
FreeLibrary.KERNEL32(00000000), ref: 00BEB983
RegCloseKey.ADVAPI32(00000000), ref: 00BEB994

Strings

RegDeleteKeyExW, xrefs: 00BEB8FE
advapi32.dll, xrefs: 00BEB8ED

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 15ba3e19a02d7609fad9156b64b3f549bc9349fe3ae5c2ce534c98ff53ca5434
Instruction ID: 6703167818452e5f8b681d648ccc242fded752a270b92f630bd77d2be05a0bb3
Opcode Fuzzy Hash: 15ba3e19a02d7609fad9156b64b3f549bc9349fe3ae5c2ce534c98ff53ca5434
Instruction Fuzzy Hash: 52C18934208281AFD710DF25C495F2ABBE5FF84308F14859CE49A8B7A2CB75ED46CB91

Function 00BE255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BE25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BE25E8
CreateCompatibleDC.GDI32(?), ref: 00BE25F4
SelectObject.GDI32(00000000,?), ref: 00BE2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00BE266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00BE26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00BE26D0
SelectObject.GDI32(?,?), ref: 00BE26D8
DeleteObject.GDI32(?), ref: 00BE26E1
DeleteDC.GDI32(?), ref: 00BE26E8
ReleaseDC.USER32(00000000,?), ref: 00BE26F3

Strings

(, xrefs: 00BE268D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ddfb6cf59466f5eb597c8d1bb1812e56d6de5459825e35895649a3d350770a09
Instruction ID: 6a41e0af216bcd2845d06204222d27b7b5ae54753f2e26e065b2969cbe6eaa99
Opcode Fuzzy Hash: ddfb6cf59466f5eb597c8d1bb1812e56d6de5459825e35895649a3d350770a09
Instruction Fuzzy Hash: 5A61C075D00219EFCF04CFA8D984AAEBBF9FF48310F248569E955A7250D770A951CF50

Function 00B9DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B9DAA1

Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D659
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D66B
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D67D
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D68F
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6A1
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6B3
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6C5
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6D7
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6E9
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6FB
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D70D
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D71F
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D731

_free.LIBCMT ref: 00B9DA96

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9DAB8
_free.LIBCMT ref: 00B9DACD
_free.LIBCMT ref: 00B9DAD8
_free.LIBCMT ref: 00B9DAFA
_free.LIBCMT ref: 00B9DB0D
_free.LIBCMT ref: 00B9DB1B
_free.LIBCMT ref: 00B9DB26
_free.LIBCMT ref: 00B9DB5E
_free.LIBCMT ref: 00B9DB65
_free.LIBCMT ref: 00B9DB82
_free.LIBCMT ref: 00B9DB9A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4bd014ba321d88124a7dbdd45b642f2899972074cdc682dac13b78eb384d3a7a
Instruction ID: 57a75b513357fd144cf34a461a6d2d62a15299e3d09b27498330ce3485c1d5ba
Opcode Fuzzy Hash: 4bd014ba321d88124a7dbdd45b642f2899972074cdc682dac13b78eb384d3a7a
Instruction Fuzzy Hash: 84314971A04305AFEF21AB3AE845B5AB7E9FF10320F5544B9E549D7291DF31AC90CB60

Function 00BC365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BC369C
_wcslen.LIBCMT ref: 00BC36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BC3797
GetClassNameW.USER32(?,?,00000400), ref: 00BC380C
GetDlgCtrlID.USER32(?), ref: 00BC385D
GetWindowRect.USER32(?,?), ref: 00BC3882
GetParent.USER32(?), ref: 00BC38A0
ScreenToClient.USER32(00000000), ref: 00BC38A7
GetClassNameW.USER32(?,?,00000100), ref: 00BC3921
GetWindowTextW.USER32(?,?,00000400), ref: 00BC395D

Strings

%s%u, xrefs: 00BC3734

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 790a6a4450617e511a34203c7c6fa63763b167877bd9ecad1f1f3115deda026e
Instruction ID: 0a662418cb9910609298a9c48058cbcb8780fd87313954375e2a878c4f0ce010
Opcode Fuzzy Hash: 790a6a4450617e511a34203c7c6fa63763b167877bd9ecad1f1f3115deda026e
Instruction Fuzzy Hash: 6491AF71204606AFDB18DF24C885FAAF7E8FF44750F40856DF99AD3190DB70AA45CB91

Function 00BC4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00BC4994
GetWindowTextW.USER32(?,?,00000400), ref: 00BC49DA
_wcslen.LIBCMT ref: 00BC49EB
CharUpperBuffW.USER32(?,00000000), ref: 00BC49F7
_wcsstr.LIBVCRUNTIME ref: 00BC4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00BC4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00BC4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00BC4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00BC4B20
GetWindowRect.USER32(?,?), ref: 00BC4B8B

Strings

ThumbnailClass, xrefs: 00BC4A6F, 00BC4AF1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e12977a9eaa9ad212d57a7c8f696c00e4125d8825f3dbc0e7e7e14163e7b65ad
Instruction ID: 37c9ef074b078e9307f6b2a8dc1c1c3c36836a7c4ed69cdb2fe3d8dc6515a5cf
Opcode Fuzzy Hash: e12977a9eaa9ad212d57a7c8f696c00e4125d8825f3dbc0e7e7e14163e7b65ad
Instruction Fuzzy Hash: 72919D71108209AFDB14DF14C995FAA7BE8EF44314F0484ADFD859B1A6DB30EE45CBA1

Function 00BF8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BF8D5A
GetFocus.USER32 ref: 00BF8D6A
GetDlgCtrlID.USER32(00000000), ref: 00BF8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00BF8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BF8ECF
GetMenuItemCount.USER32(?), ref: 00BF8EEC
GetMenuItemID.USER32(?,00000000), ref: 00BF8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BF8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BF8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BF8FA1

Strings

0, xrefs: 00BF8E9F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 2f3bc1bc171b69e115be15f5ea32c993c8aec5751b0f68df9ddf9ad3a0cc4ed4
Instruction ID: 8f377a3e8a9800d634c1b23e83fcf655d1b6cf7693768c2d9d08f288891e7fe0
Opcode Fuzzy Hash: 2f3bc1bc171b69e115be15f5ea32c993c8aec5751b0f68df9ddf9ad3a0cc4ed4
Instruction Fuzzy Hash: DC81AF71508309AFDB10CF14D885ABB7BE9FF98314F1409ADFA9497291DB30D948CBA1

Function 00BCDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BCDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BCDC46
_wcslen.LIBCMT ref: 00BCDC50
_wcsstr.LIBVCRUNTIME ref: 00BCDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BCDCBC

Strings

DefaultLangCodepage, xrefs: 00BCDD1F
\VarFileInfo\Translation, xrefs: 00BCDCB4
%u.%u.%u.%u, xrefs: 00BCDD9A
04090000, xrefs: 00BCDCF2
StringFileInfo\, xrefs: 00BCDC8F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a1c7afd8a0634b803bc7ea034713712fc2f6f313bac26a45916a031a493a0e7c
Instruction ID: a7cbc4b78683386f6db56293fedd3c2e7ec8487f2b05c70fed5d813b481da3ca
Opcode Fuzzy Hash: a1c7afd8a0634b803bc7ea034713712fc2f6f313bac26a45916a031a493a0e7c
Instruction Fuzzy Hash: 5241EE369402197ADB10BB649C43EBF7BECEF41710F1440FAF905A71A2EA649901E7A9

Function 00BECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00BECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BECD48

Part of subcall function 00BECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00BECCAA
Part of subcall function 00BECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00BECCBD
Part of subcall function 00BECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BECCCF
Part of subcall function 00BECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BECD05
Part of subcall function 00BECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BECCF3

Strings

RegDeleteKeyExW, xrefs: 00BECCC9
advapi32.dll, xrefs: 00BECCB8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d3124abdd6ea17dffa7763f1a39bba5687e4cc0940e5914d5ea29e26156cbdd7
Instruction ID: 27e5ab802335025db3c95aba6cad8122f5cc05c2737dbfe5d13e6fae390e326f
Opcode Fuzzy Hash: d3124abdd6ea17dffa7763f1a39bba5687e4cc0940e5914d5ea29e26156cbdd7
Instruction Fuzzy Hash: F9316E7190112DBBDB208B65DC88EFFBFBCEF55750F1041B5A906E3240DB349A86DAA0

Function 00BD3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BD3D40
_wcslen.LIBCMT ref: 00BD3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BD3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BD3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00BD3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BD3E55
CloseHandle.KERNEL32(00000000), ref: 00BD3E60
CloseHandle.KERNEL32(00000000), ref: 00BD3E6B

Strings

\??\%s, xrefs: 00BD3D5B
:, xrefs: 00BD3D82
\, xrefs: 00BD3D77

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7104db0bb2e9958d92563cee96f0c5dbcc7d5f8996ff6f133fbe657f48d00d71
Instruction ID: bcaf2bba3ea48977bd45f4e33fee99229993a83f452359c4b44add3dc6192e28
Opcode Fuzzy Hash: 7104db0bb2e9958d92563cee96f0c5dbcc7d5f8996ff6f133fbe657f48d00d71
Instruction Fuzzy Hash: 35318C7290020AAADB209FA0DC49FEB77F9EF88B40F1040B6F50997161EB709784CB25

Function 00BCE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BCE6B4

Part of subcall function 00B7E551: timeGetTime.WINMM(?,?,00BCE6D4), ref: 00B7E555

Sleep.KERNEL32(0000000A), ref: 00BCE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00BCE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BCE727
SetActiveWindow.USER32 ref: 00BCE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BCE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BCE773
Sleep.KERNEL32(000000FA), ref: 00BCE77E
IsWindow.USER32 ref: 00BCE78A
EndDialog.USER32(00000000), ref: 00BCE79B

Strings

BUTTON, xrefs: 00BCE719

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0b4a14146a00afacf17ba9b289493d3e64045bf247d44c7a0484eb4fbfc0a380
Instruction ID: dc28bba8e1343ebfa98157170e139c23c78aa59cf18839b2481e3e4fd162253f
Opcode Fuzzy Hash: 0b4a14146a00afacf17ba9b289493d3e64045bf247d44c7a0484eb4fbfc0a380
Instruction Fuzzy Hash: BE216DB1210A08EFEB005F21ED8AF3A3FA9EB54748B105469F925C31B1DF71EC50CA64

Function 00BCE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BCEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BCEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BCEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BCEAA7

Strings

alias PlayMe, xrefs: 00BCEA36
status PlayMe mode, xrefs: 00BCEA58
open , xrefs: 00BCEA0C
close PlayMe, xrefs: 00BCEA6E, 00BCEA9B
play PlayMe wait, xrefs: 00BCEA91
play PlayMe, xrefs: 00BCEAA2

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ff0d345cef54acdce3586803bf630d89c417ccb6db8489065df14ad319cdc079
Instruction ID: f7e86c7d370909a048b63aaabd87f79ceaf36342c84149c50ada864687ac4a4d
Opcode Fuzzy Hash: ff0d345cef54acdce3586803bf630d89c417ccb6db8489065df14ad319cdc079
Instruction Fuzzy Hash: 54112131A90269BDD720B7A5ED4AEFF6AFCEBD2B40F440479B411A20D1EEB05945C9B0

Function 00BC5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BC5CE2
GetWindowRect.USER32(00000000,?), ref: 00BC5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00BC5D59
GetDlgItem.USER32(?,00000002), ref: 00BC5D69
GetWindowRect.USER32(00000000,?), ref: 00BC5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00BC5DCF
GetDlgItem.USER32(?,000003E9), ref: 00BC5DDD
GetWindowRect.USER32(00000000,?), ref: 00BC5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00BC5E31
GetDlgItem.USER32(?,000003EA), ref: 00BC5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BC5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00BC5E67

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1e493fa428e2224faba850f9c3cae1a5d4038f258812ca2414ae799ad6d41dc7
Instruction ID: 891c7065b1ae8d8cf97da349696c03a5058da28a989064e055eac45085f62604
Opcode Fuzzy Hash: 1e493fa428e2224faba850f9c3cae1a5d4038f258812ca2414ae799ad6d41dc7
Instruction Fuzzy Hash: 0151FF71A00609AFDF18DF68DD89EAEBBF5EB48310F148169F516E7290DB70AE44CB50

Function 00B78BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B78BE8,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78FC5

DestroyWindow.USER32(?), ref: 00B78C81
KillTimer.USER32(00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00BB6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00BB69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00BB69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000), ref: 00BB69D4
DeleteObject.GDI32(00000000), ref: 00BB69E6

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f820765fa0d69c0082d3d76d4636a2b1de96791a85b5ebad4dae3e37e8c4b396
Instruction ID: 1d58fb3908dd22fbbf287fc3437e0c1efd649b0c3320c94e03221350a25c6554
Opcode Fuzzy Hash: f820765fa0d69c0082d3d76d4636a2b1de96791a85b5ebad4dae3e37e8c4b396
Instruction Fuzzy Hash: 78618C30511704DFCB269F24DA48B79BBF1FB44322F1885A8E45A9B5A0CB75AD80CF90

Function 00B79838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

GetSysColor.USER32(0000000F), ref: 00B79862

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 23463b65e64f6aecd5b9fd0479f3527a8e9a09d6eabc6e3ffbcfcadf894bb5a2
Instruction ID: 7afd25e9c8058e520969a49217bcdd0378fc6e7d2a2ff5f3215eaf09e80250dd
Opcode Fuzzy Hash: 23463b65e64f6aecd5b9fd0479f3527a8e9a09d6eabc6e3ffbcfcadf894bb5a2
Instruction Fuzzy Hash: 9B41F331104604AFDB209F389C84BB93BE5EB57370F148685F9B69B2E1CB709D82DB11

Function 00BC96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00BC9717
LoadStringW.USER32(00000000,?,00BAF7F8,00000001), ref: 00BC9720

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00BC9742
LoadStringW.USER32(00000000,?,00BAF7F8,00000001), ref: 00BC9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00BC9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BC984A
Line %d:, xrefs: 00BC97A0
^ ERROR, xrefs: 00BC97FB
Line %d (File "%s"):, xrefs: 00BC978F
Error: , xrefs: 00BC981D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: fb209b2ad537a4242fbb015c1517c1e5cbb35a7454d38f9070d214e57f8f0308
Instruction ID: 5b177e8965de2d9531b11a0e3b4f725bf0c3118af132cfaffa8970d88fba2e9e
Opcode Fuzzy Hash: fb209b2ad537a4242fbb015c1517c1e5cbb35a7454d38f9070d214e57f8f0308
Instruction Fuzzy Hash: DE412B72800219AADF04EBE0DE86EEE77BCAF55740F1400A5F60573192EB396F48CB61

Function 00BC06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BC07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BC07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BC07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BC0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00BC082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BC0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BC083C

Strings

\CLSID, xrefs: 00BC0724
SOFTWARE\Classes\, xrefs: 00BC070E
\IPC$, xrefs: 00BC0784

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 253b4144dd9bc3aa79c8370a7379ac7ab5a96b0c0ee67f866b8c460c1fe32909
Instruction ID: 765cd345092acfeac217650a872825a334d4bca824c32c65d4658395a2d91791
Opcode Fuzzy Hash: 253b4144dd9bc3aa79c8370a7379ac7ab5a96b0c0ee67f866b8c460c1fe32909
Instruction Fuzzy Hash: 8C41F572C10229EBDF15EFA4DC95DEEB7B8FF04750B1441A9E901A31A1EB349E45CBA0

Function 00BE3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE3C5C
CoInitialize.OLE32(00000000), ref: 00BE3C8A
CoUninitialize.OLE32 ref: 00BE3C94
_wcslen.LIBCMT ref: 00BE3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00BE3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00BE3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00BE3F0E
CoGetObject.OLE32(?,00000000,00BFFB98,?), ref: 00BE3F2D
SetErrorMode.KERNEL32(00000000), ref: 00BE3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BE3FC4
VariantClear.OLEAUT32(?), ref: 00BE3FD8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 91a03ca3e12774f30e65a3ef3cd89c2a5bee6bc5c0a41b3d64d73ef449e2e553
Instruction ID: 216e34a8160e0a9b40aa2056b066288e5848fdb8d5656ac16159a470928ead39
Opcode Fuzzy Hash: 91a03ca3e12774f30e65a3ef3cd89c2a5bee6bc5c0a41b3d64d73ef449e2e553
Instruction Fuzzy Hash: 9CC159716043459FC700DF65C88892BBBE9FF89B44F1049ADF98A9B210DB31ED45CB92

Function 00BD7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BD7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BD7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00BD7BA3
CoCreateInstance.OLE32(00BFFD08,00000000,00000001,00C26E6C,?), ref: 00BD7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BD7C74
CoTaskMemFree.OLE32(?,?), ref: 00BD7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00BD7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BD7D7A
CoTaskMemFree.OLE32(00000000), ref: 00BD7D81
CoTaskMemFree.OLE32(00000000), ref: 00BD7DD6
CoUninitialize.OLE32 ref: 00BD7DDC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 67e1e6b2181e539402e2edd04e42e52d3cae03fa1de2bb3b293872c512a144f3
Instruction ID: 9f08d36b25f48149c1256ff8b8dec8f91dce544d6d1a6abef0ab97c70d2ccbc3
Opcode Fuzzy Hash: 67e1e6b2181e539402e2edd04e42e52d3cae03fa1de2bb3b293872c512a144f3
Instruction Fuzzy Hash: 64C10C75A04109AFCB14DF64C894DAEBBF9FF48314B1484A9E91ADB361EB30ED45CB90

Function 00BF541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BF5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF5515
CharNextW.USER32(00000158), ref: 00BF5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BF5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BF559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF55AC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 1d8a1de4e893f2ca7fbf5dce260fdc2a6c7de5778b149ed5036e003fb64a1bf6
Instruction ID: ff663bc63516b987272200feecd80f30fa07b2e4a43b5f9f8967a202d2f02ad6
Opcode Fuzzy Hash: 1d8a1de4e893f2ca7fbf5dce260fdc2a6c7de5778b149ed5036e003fb64a1bf6
Instruction Fuzzy Hash: A5616D7490460CAFDF209F54CC85AFE7BF9EB09721F108189FB25A7290D7749A89DB60

Function 00BBFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BBFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00BBFB08
VariantInit.OLEAUT32(?), ref: 00BBFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BBFB3A
VariantCopy.OLEAUT32(?,?), ref: 00BBFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BBFBA1
VariantClear.OLEAUT32(?), ref: 00BBFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00BBFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BBFBCC
VariantClear.OLEAUT32(?), ref: 00BBFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BBFBE9

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ca216a0e7bc95e964baa73813ea88536ba216326fadb3fee4cb9f0815865858e
Instruction ID: 8265da55002ce7133f9c8214815f0655a37a4159dc8eae9c77b6807f2f3845ac
Opcode Fuzzy Hash: ca216a0e7bc95e964baa73813ea88536ba216326fadb3fee4cb9f0815865858e
Instruction Fuzzy Hash: 82415E35A0021A9FCF14DF68DC549FEBFB9EF48344F0084A9E955A7361CB70A945CBA0

Function 00BC9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BC9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00BC9D22
GetKeyState.USER32(000000A0), ref: 00BC9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00BC9D57
GetKeyState.USER32(000000A1), ref: 00BC9D6C
GetAsyncKeyState.USER32(00000011), ref: 00BC9D84
GetKeyState.USER32(00000011), ref: 00BC9D96
GetAsyncKeyState.USER32(00000012), ref: 00BC9DAE
GetKeyState.USER32(00000012), ref: 00BC9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00BC9DD8
GetKeyState.USER32(0000005B), ref: 00BC9DEA

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b2e1262326d2f528547808ed1bab58024cefe50e77390c7b666a80d93b419b2a
Instruction ID: 36d09c95fb2711e6824339c3e967ece0b7d0e2590941d5b10b5238342ab89232
Opcode Fuzzy Hash: b2e1262326d2f528547808ed1bab58024cefe50e77390c7b666a80d93b419b2a
Instruction Fuzzy Hash: C141D8745047CA69FF308764940CBB6BEE0EB21344F0480EEDAC7675C2DBA499C8C7A2

Function 00BE055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BE05BC
inet_addr.WSOCK32(?), ref: 00BE061C
gethostbyname.WSOCK32(?), ref: 00BE0628
IcmpCreateFile.IPHLPAPI ref: 00BE0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00BE07B9
WSACleanup.WSOCK32 ref: 00BE07BF

Strings

Ping, xrefs: 00BE0676

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0c6dd7fb99eab2cb3516838c35accb6b59684615fdb2b26603db4a1faa76fa20
Instruction ID: 201c9e1b33f2991045f88ab0262f536df5c1965d5fcda0d615152e037ee83714
Opcode Fuzzy Hash: 0c6dd7fb99eab2cb3516838c35accb6b59684615fdb2b26603db4a1faa76fa20
Instruction Fuzzy Hash: 0A919F356182419FD320EF16C588F2ABBE0EF44318F1485E9F4699B6A2C7B4ED85CF91

Function 00BE8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00BE8CF3

Part of subcall function 00BC8E54: _wcslen.LIBCMT ref: 00BC8E77

_wcslen.LIBCMT ref: 00BE8D4E
_wcslen.LIBCMT ref: 00BE8D9C
_wcslen.LIBCMT ref: 00BE8DDC
_wcslen.LIBCMT ref: 00BE8E6E

Strings

stdcall, xrefs: 00BE8DD6, 00BE8DDB
winapi, xrefs: 00BE8D96, 00BE8D9B
cdecl, xrefs: 00BE8D48, 00BE8D4D
none, xrefs: 00BE8E65, 00BE8E6A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8ed325ab5350143b18be1294fe5866ff4a02ba69e28961df2e36062799c4d419
Instruction ID: d5733c1c03ac805bc5e4bdbe85cddb98f2a487dc56176a52ed420dcaeff5112e
Opcode Fuzzy Hash: 8ed325ab5350143b18be1294fe5866ff4a02ba69e28961df2e36062799c4d419
Instruction Fuzzy Hash: 62519031A009569BCF24DF6DC9819BEB7E6FF64724B2042A9E42AE72C4DB35DD40C790

Function 00BE372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00BE3774
CoUninitialize.OLE32 ref: 00BE377F
CoCreateInstance.OLE32(?,00000000,00000017,00BFFB78,?), ref: 00BE37D9
IIDFromString.OLE32(?,?), ref: 00BE384C
VariantInit.OLEAUT32(?), ref: 00BE38E4
VariantClear.OLEAUT32(?), ref: 00BE3936

Strings

Invalid parameter, xrefs: 00BE3865
Failed to create object, xrefs: 00BE37E4, 00BE389A
NULL Pointer assignment, xrefs: 00BE381E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f4a378743dfb2f7a4e21db313dcb7e524d62a837bddbf3e90d864baa4cb7cc38
Instruction ID: e2073eada117a9c2a2c5c5b2987e0eb5aae28cb445ce8f0e3f869abb87e58550
Opcode Fuzzy Hash: f4a378743dfb2f7a4e21db313dcb7e524d62a837bddbf3e90d864baa4cb7cc38
Instruction Fuzzy Hash: BF61B071608341AFD310DF55D888F6ABBE8EF48B14F10499DF9859B291DB70EE48CB92

Function 00BD8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BD8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BD8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BD838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8395

Strings

*.*, xrefs: 00BD839B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e08682bf7fa7f5c27d2f0aefaef63608c3eccf636cf71eba06364e83c1ab9e6c
Instruction ID: 846e28686d7d291e0eac49c05aa694f81e4a8ddc7ce4d3d0ecb6e323d9c34ecb
Opcode Fuzzy Hash: e08682bf7fa7f5c27d2f0aefaef63608c3eccf636cf71eba06364e83c1ab9e6c
Instruction Fuzzy Hash: 3E616A725043459FCB10EF64C8409AEF7E8FF89320F0449AEF99997251EB35E949CB92

Function 00BD3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BD33CF

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BD33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00BD3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00BD3504
^ ERROR , xrefs: 00BD349E
Line %d (File "%s"):, xrefs: 00BD3443, 00BD345C
Error: , xrefs: 00BD34D1
Incorrect parameters to object property !, xrefs: 00BD34AB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1021da21d7cf67635a916b2b9e4d69ec07e40c61f3ddbd33acbaeba1a4fa85aa
Instruction ID: a73d9087b3bc17a119c731022e256a8966f9d1737dc87da015606f3abaf6f485
Opcode Fuzzy Hash: 1021da21d7cf67635a916b2b9e4d69ec07e40c61f3ddbd33acbaeba1a4fa85aa
Instruction Fuzzy Hash: C9516D32900209AADF15EBA0DE46EEEB7F8EF14740F1440A5F505731A2EB356F58DB61

Function 00BCB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BCB5FC
_wcslen.LIBCMT ref: 00BCB608
_wcslen.LIBCMT ref: 00BCB64D
_wcslen.LIBCMT ref: 00BCB68C
_wcslen.LIBCMT ref: 00BCB6C7

Strings

REMOVE, xrefs: 00BCB602, 00BCB607
APPEND, xrefs: 00BCB6C1, 00BCB6C6
KEYS, xrefs: 00BCB647, 00BCB64C
EXISTS, xrefs: 00BCB686, 00BCB68B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d9546f7bc442abeed0ea8c49412d81e2219a8897b1ff29d753fa868c14e7dd75
Instruction ID: deb569baf99b114b1f480b418f0ceaa914ae0e1c369699c2e3dc712b622511ed
Opcode Fuzzy Hash: d9546f7bc442abeed0ea8c49412d81e2219a8897b1ff29d753fa868c14e7dd75
Instruction Fuzzy Hash: 2A419532A001269ACB206F7DC992EBEB7E5EB60B54F2441BEE465D7284E735CD81C790

Function 00BD5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BD5416
GetLastError.KERNEL32 ref: 00BD5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00BD54A7

Strings

NOTREADY, xrefs: 00BD544B
READY, xrefs: 00BD5460, 00BD5468
INVALID, xrefs: 00BD5459
READONLY, xrefs: 00BD5452
UNKNOWN, xrefs: 00BD5444

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d5665ad8c3d6ceda33fbff2253d2a469f4a833990c42944c53e55f11b33c0707
Instruction ID: aca7c217db1df24fcdc5ca9ffc764b825101cdb2380c6d8bd46a4ccbb700a511
Opcode Fuzzy Hash: d5665ad8c3d6ceda33fbff2253d2a469f4a833990c42944c53e55f11b33c0707
Instruction Fuzzy Hash: 18319375A005089FCB20DF68C584AAABBF4EF45305F1480AAE405DB356EB71DD86CF92

Function 00BF3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00BF3C79
SetMenu.USER32(?,00000000), ref: 00BF3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF3D10
IsMenu.USER32(?), ref: 00BF3D24
CreatePopupMenu.USER32 ref: 00BF3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF3D5B
DrawMenuBar.USER32 ref: 00BF3D63

Strings

F, xrefs: 00BF3D4E
0, xrefs: 00BF3C54

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1423eb9fd20769e4a489113b912db91430b3fd6b384a323d8b09a5ce325d0fee
Instruction ID: f93e26c0566d58c56abc9ee8d4bdac78d67dc44f5a2b13ae1b4507b5e3051035
Opcode Fuzzy Hash: 1423eb9fd20769e4a489113b912db91430b3fd6b384a323d8b09a5ce325d0fee
Instruction Fuzzy Hash: 0B416779A01209EFDB14DF64D884BAA7BF5FF49750F140068EA56A7360D730AA18CF94

Function 00BF3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BF3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BF3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00BF3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BF3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BF3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00BF3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00BF3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00BF3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00BF3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00BF3C13

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b381c857980687635a5d1beaf54e1a525b642591a3b31675fcb9c2574ac1aa13
Instruction ID: 623e301219065cf71ad0b4a94211fcffedb686c07a877f92bba4d723f1b3fbb5
Opcode Fuzzy Hash: b381c857980687635a5d1beaf54e1a525b642591a3b31675fcb9c2574ac1aa13
Instruction Fuzzy Hash: 60613775A00248AFDB10DFA8CC81FFE77F8EB09710F144199FA15A72A2D774AA45DB50

Function 00BCB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BCB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB165
GetWindowThreadProcessId.USER32(00000000), ref: 00BCB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BCB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB21D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c4d15176880925156602fbc6771bfb076182f94c8c3256a8df90b7081959530e
Instruction ID: ee772ae089e9403ff231fac9cde06604f48caeee4a0fee98eb0e3babefd7e297
Opcode Fuzzy Hash: c4d15176880925156602fbc6771bfb076182f94c8c3256a8df90b7081959530e
Instruction Fuzzy Hash: F4316771520208BFDB249F24DD8AFBE7FA9EB51311F244049FA01DB190DBB89E808B60

Function 00B92C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B92C94

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B92CA0
_free.LIBCMT ref: 00B92CAB
_free.LIBCMT ref: 00B92CB6
_free.LIBCMT ref: 00B92CC1
_free.LIBCMT ref: 00B92CCC
_free.LIBCMT ref: 00B92CD7
_free.LIBCMT ref: 00B92CE2
_free.LIBCMT ref: 00B92CED
_free.LIBCMT ref: 00B92CFB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21bc71fa06f005f563a6c4ab7db46d3d14216f72aa6341639c71d8a6980c9fe2
Instruction ID: 8444479e3de099674d58b9a10b088086dd399b6f3f3e1445aa0d5de05fa5705c
Opcode Fuzzy Hash: 21bc71fa06f005f563a6c4ab7db46d3d14216f72aa6341639c71d8a6980c9fe2
Instruction Fuzzy Hash: DE114076910108BFCF02EF94D982CDD7BA9FF05350F9145B5FA489B322DA31EA509B90

Function 00BD7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD7FC1
GetFileAttributesW.KERNEL32(?), ref: 00BD7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BD8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BD80B0

Strings

*.*, xrefs: 00BD8066

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: d8cfafaa19be46b49621509ab89ace4912c1473b33e71195b094938aa5365614
Instruction ID: f34d7d00ec18bda9e99ad0354551049f2a8be8618df09bbe4d4ed6e6317e13dd
Opcode Fuzzy Hash: d8cfafaa19be46b49621509ab89ace4912c1473b33e71195b094938aa5365614
Instruction Fuzzy Hash: 998180715482459BCB20EF54C8849AAF7E8EB88314F14489FF889D7351FB35DD49CB92

Function 00B65BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B65C7A

Part of subcall function 00B65D0A: GetClientRect.USER32(?,?), ref: 00B65D30
Part of subcall function 00B65D0A: GetWindowRect.USER32(?,?), ref: 00B65D71
Part of subcall function 00B65D0A: ScreenToClient.USER32(?,?), ref: 00B65D99

GetDC.USER32 ref: 00BA46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BA4708
SelectObject.GDI32(00000000,00000000), ref: 00BA4716
SelectObject.GDI32(00000000,00000000), ref: 00BA472B
ReleaseDC.USER32(?,00000000), ref: 00BA4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BA47C4

Strings

U, xrefs: 00BA4693

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3e67e69b4e77a465b32157cff37ea7e4a46cfe6813176aca97ca3775dbf4cc19
Instruction ID: 0d09926c3da35a362d789e787ac76fb9331e6d5bcad8216702e6ff3ec2284211
Opcode Fuzzy Hash: 3e67e69b4e77a465b32157cff37ea7e4a46cfe6813176aca97ca3775dbf4cc19
Instruction Fuzzy Hash: DB71D031408249DFCF218F68C984ABA7BF5FF8A320F1842E9ED555A1A6C7B49C91DF50

Function 00BD359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00BD35E4

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

LoadStringW.USER32(00C32390,?,00000FFF,?), ref: 00BD360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00BD3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00BD3724
^ ERROR, xrefs: 00BD36C9
Line %d (File "%s"):, xrefs: 00BD366B
Error: , xrefs: 00BD36EF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5a91b6b1a2a56e700a45a02ff256892a261427ce0b78bdfed9cc84347b8dde91
Instruction ID: 8491cd3d8cfe838364c74644932389faac0254ca149e3cc9e1e194e0e90c5011
Opcode Fuzzy Hash: 5a91b6b1a2a56e700a45a02ff256892a261427ce0b78bdfed9cc84347b8dde91
Instruction Fuzzy Hash: 73518F72800209BADF14EBA0DD42EEDBBF8EF14700F1441A5F505721A2EB345B98DFA5

Function 00BF8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

Part of subcall function 00B7912D: GetCursorPos.USER32(?), ref: 00B79141
Part of subcall function 00B7912D: ScreenToClient.USER32(00000000,?), ref: 00B7915E
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000001), ref: 00B79183
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000002), ref: 00B7919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00BF8B6B
ImageList_EndDrag.COMCTL32 ref: 00BF8B71
ReleaseCapture.USER32 ref: 00BF8B77
SetWindowTextW.USER32(?,00000000), ref: 00BF8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BF8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00BF8CFF

Strings

@GUI_DROPID, xrefs: 00BF8C51
@GUI_DRAGFILE, xrefs: 00BF8C9A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 1adf09686805324cc73af40d1aba2d3673bf676e532f7385ed07b7da90f96957
Instruction ID: 2f8258229a1a802262ed88bb276ffbc57f70d66dc9066e71ae7359653e46c215
Opcode Fuzzy Hash: 1adf09686805324cc73af40d1aba2d3673bf676e532f7385ed07b7da90f96957
Instruction Fuzzy Hash: B6517B71204308AFD704DF24DD96BBA7BE4FB88750F040669FA96972E1CB749948CB62

Function 00BDC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BDC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BDC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BDC2CA
GetLastError.KERNEL32 ref: 00BDC322
SetEvent.KERNEL32(?), ref: 00BDC336
InternetCloseHandle.WININET(00000000), ref: 00BDC341

Strings

, xrefs: 00BDC2BB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8f196d55576fafb7e670897eae903ee893fd7e53ef8b9b7b4c3c5046e0a9df96
Instruction ID: 3efc66c9eb69827050057f14b0bef1072f5dcce8d440809031c876df6ee020a5
Opcode Fuzzy Hash: 8f196d55576fafb7e670897eae903ee893fd7e53ef8b9b7b4c3c5046e0a9df96
Instruction Fuzzy Hash: 93316BB1600609AFDB21AF658988ABBBFFCEB49754B10855EF44693310EB30ED44DB64

Function 00BC989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BA3AAF,?,?,Bad directive syntax error,00BFCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BC98BC
LoadStringW.USER32(00000000,?,00BA3AAF,?), ref: 00BC98C3

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BC9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00BC98F1
., xrefs: 00BC996D
Error: , xrefs: 00BC9955
Line %d:, xrefs: 00BC9912
Line %d (File "%s"):, xrefs: 00BC992D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 028af32b8cbf6d446da098dae3bb73f36fb323de8c702f4e1a9749007fd528ee
Instruction ID: 743e5ce878b0df147e7a0b418b0506e6ba4638a948c80711cda7375568f7982a
Opcode Fuzzy Hash: 028af32b8cbf6d446da098dae3bb73f36fb323de8c702f4e1a9749007fd528ee
Instruction Fuzzy Hash: A021803180021EABDF11EF90CC0AEFE77B9FF18700F0444A9F515620A2EB759A58DB60

Function 00BC209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BC20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00BC20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BC214D

Strings

details, xrefs: 00BC20FB
largeicons, xrefs: 00BC20E1
list, xrefs: 00BC212F
smallicons, xrefs: 00BC2115
SHELLDLL_DefView, xrefs: 00BC20CC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 76bd63e64d11535e195845196cd2637c88c1cd937fb83069e505a2472a0fb40d
Instruction ID: a3442e7a54a616f781eb62f36f1282e39662e0d8762f4e06af52822231b3a9b9
Opcode Fuzzy Hash: 76bd63e64d11535e195845196cd2637c88c1cd937fb83069e505a2472a0fb40d
Instruction Fuzzy Hash: 4411C676688717BAFA157720EC06EB777DCDF05725B2001BAFB04FA0E1EE7168419A14

Function 00B98D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d569d7e095ecfa9189968394314080498e5d56d931f76af64e254cc24438add
Instruction ID: b2aa85dac2e3af061b5ffb18d17f7ba6a7ca4622392b47d9d1a46720936c66d7
Opcode Fuzzy Hash: 8d569d7e095ecfa9189968394314080498e5d56d931f76af64e254cc24438add
Instruction Fuzzy Hash: 74C1BE75D04249AFDF11EFACC891BADBBF0AF0A310F1440E9F425A7292D7309941CB61

Function 00B9CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B9CEB7
_free.LIBCMT ref: 00B9CF22
_free.LIBCMT ref: 00B9CF48
_free.LIBCMT ref: 00B9CF71
_free.LIBCMT ref: 00B9CFA9
_free.LIBCMT ref: 00B9CFDA
_free.LIBCMT ref: 00B9D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B9D09C
_free.LIBCMT ref: 00B9D0B5

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c44f3277601b8f797dffcc2bf3285e7fa44c9a2c8e3378df2db363b699683b60
Instruction ID: 8e7351d4a81bbdfbbe08626227bf8c22a3db63cd793d5e8120135a86d15f4e72
Opcode Fuzzy Hash: c44f3277601b8f797dffcc2bf3285e7fa44c9a2c8e3378df2db363b699683b60
Instruction Fuzzy Hash: DC61E072A04205AFDF21AFB49891BAE7FE5EF05360F1441FDF945A7282E7329D098790

Function 00B78B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BB6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BB68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BB68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BB68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BB68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B78874,00000000,00000000,00000000,000000FF,00000000), ref: 00BB6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BB691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B78874,00000000,00000000,00000000,000000FF,00000000), ref: 00BB692D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 339bf5e69b7ac45d1be17f0c12ee32762add0f5a9142d3c51b935f2f97dd28fb
Instruction ID: 75301d2f0f70e593cb4c113fbceaea3f3e7efc9587810cf17ce7463fa9180001
Opcode Fuzzy Hash: 339bf5e69b7ac45d1be17f0c12ee32762add0f5a9142d3c51b935f2f97dd28fb
Instruction Fuzzy Hash: 08518A70600209EFDB20CF24CC95BBA7BF5EB48760F108558F95A972A0DBB1ED90DB50

Function 00BDC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BDC182
GetLastError.KERNEL32 ref: 00BDC195
SetEvent.KERNEL32(?), ref: 00BDC1A9

Part of subcall function 00BDC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BDC272
Part of subcall function 00BDC253: GetLastError.KERNEL32 ref: 00BDC322
Part of subcall function 00BDC253: SetEvent.KERNEL32(?), ref: 00BDC336
Part of subcall function 00BDC253: InternetCloseHandle.WININET(00000000), ref: 00BDC341

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 303f5bbfffe902531f33a7845081d9255065a7d540cad9b9a4803c39803717da
Instruction ID: 5513cb2c31a5d7f73f52bb89bad3d47f3984a741ea2f456787b4b0d177a88380
Opcode Fuzzy Hash: 303f5bbfffe902531f33a7845081d9255065a7d540cad9b9a4803c39803717da
Instruction Fuzzy Hash: A1314771600A06AFDB219FA59D44A76FFE9FF18300B14446EF95A93710EB31E854DBA0

Function 00BC25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BC25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00BC25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BC2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00BC2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BC2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00BC2627

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6053fe05029f5726704e8a7c6c9ed0ad16d8df85ee582f15e889d9eb894ef6da
Instruction ID: 304151a10dfd8c92194e63de886a9292f9a94674b4f5ea51ee7696dac245cd4b
Opcode Fuzzy Hash: 6053fe05029f5726704e8a7c6c9ed0ad16d8df85ee582f15e889d9eb894ef6da
Instruction Fuzzy Hash: C801D430394214BBFB1067689C8AF693F99DF4EB12F600015F318AF0D1CDF26494CA69

Function 00BC1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00BC1449,?,?,00000000), ref: 00BC180C
HeapAlloc.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC1449,?,?,00000000), ref: 00BC1828
GetCurrentProcess.KERNEL32(?,00000000,?,00BC1449,?,?,00000000), ref: 00BC1830
DuplicateHandle.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC1449,?,?,00000000), ref: 00BC1843
GetCurrentProcess.KERNEL32(00BC1449,00000000,?,00BC1449,?,?,00000000), ref: 00BC184B
DuplicateHandle.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC184E
CreateThread.KERNEL32(00000000,00000000,00BC1874,00000000,00000000,00000000), ref: 00BC1868

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 190588a69bdee4f7d3d48346bcd83d82e356f76403443114547dd8dc268186a7
Instruction ID: 606141d915eacb2bccd0f5b83b8abfa18ebd4183ca8f91eddd1a1ff491c9a547
Opcode Fuzzy Hash: 190588a69bdee4f7d3d48346bcd83d82e356f76403443114547dd8dc268186a7
Instruction Fuzzy Hash: C901BBB5240308BFE710ABA5DD4DF6B3FACEB89B11F104411FA05EB1A2CA709950DB60

Function 00BEA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00BCD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00BCD501
Part of subcall function 00BCD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00BCD50F
Part of subcall function 00BCD4DC: CloseHandle.KERNEL32(00000000), ref: 00BCD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEA16D
GetLastError.KERNEL32 ref: 00BEA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BEA268
GetLastError.KERNEL32(00000000), ref: 00BEA273
CloseHandle.KERNEL32(00000000), ref: 00BEA2C4

Strings

SeDebugPrivilege, xrefs: 00BEA18F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 425108eaf639c1a4c993e7d07674cc68e1446e6ffd3ce97fe366a3ab5e248728
Instruction ID: 7c616e683ae85e4fd78e0518455f45d9fd70f9f8df1d240a5d5ffc79d562d765
Opcode Fuzzy Hash: 425108eaf639c1a4c993e7d07674cc68e1446e6ffd3ce97fe366a3ab5e248728
Instruction Fuzzy Hash: 1C617A302042829FD710DF19C494F25BBE5AF44318F1484DCE56A9B7A3C776ED89CB92

Function 00BF3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BF3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00BF393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BF3954
_wcslen.LIBCMT ref: 00BF3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BF39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BF39F4

Strings

SysListView32, xrefs: 00BF38F7

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0159503e845be8baab70f1521e95bd95da2cea71f1dde515e835d84f88782261
Instruction ID: d049b83cc5f7e5b82a73512a447a945b8b74efa5de25825fd0a1a01bab62203e
Opcode Fuzzy Hash: 0159503e845be8baab70f1521e95bd95da2cea71f1dde515e835d84f88782261
Instruction Fuzzy Hash: 5641C231A0021CABDF219F64CC45BFA7BE9EF08750F100566FA49E7281D7B59A84CB90

Function 00BCBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCBCFD
IsMenu.USER32(00000000), ref: 00BCBD1D
CreatePopupMenu.USER32 ref: 00BCBD53
GetMenuItemCount.USER32(01605620), ref: 00BCBDA4
InsertMenuItemW.USER32(01605620,?,00000001,00000030), ref: 00BCBDCC

Strings

2, xrefs: 00BCBD37
0, xrefs: 00BCBCA8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2126d93e4768ef5a9ada0c9937b9dad1b23dcc45eac39a1e0d853a2d00931fbb
Instruction ID: 4e7c3768990505f8585a67135a639e6b8b64e22221766fc71f604a1dbeae0d82
Opcode Fuzzy Hash: 2126d93e4768ef5a9ada0c9937b9dad1b23dcc45eac39a1e0d853a2d00931fbb
Instruction Fuzzy Hash: 2951BC70A00209ABDB10CFA8D8C6FAEBBF8FF55314F2441ADE452EB290D7709945CB61

Function 00BCC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BCC913

Strings

blank, xrefs: 00BCC895
info, xrefs: 00BCC8B4
warning, xrefs: 00BCC8FC
stop, xrefs: 00BCC8E4
question, xrefs: 00BCC8CC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e20b02f3a68267f948b97e098d4b48ed905a9c0e82286c899685397f32532764
Instruction ID: ebe80c66337142715050f04b7cb591ee244a20fc2bc08b4ab48bf177b9d92e32
Opcode Fuzzy Hash: e20b02f3a68267f948b97e098d4b48ed905a9c0e82286c899685397f32532764
Instruction Fuzzy Hash: 35110D31689317BAE705AB54AC83EAB6BECDF25754B1000BEF508A62D2D7F09D409365

Function 00BCED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BCED2A
_wcslen.LIBCMT ref: 00BCED3B
_wcslen.LIBCMT ref: 00BCED79
_wcslen.LIBCMT ref: 00BCEDAF
_wcslen.LIBCMT ref: 00BCEDDF
_wcslen.LIBCMT ref: 00BCEDEF
_wcslen.LIBCMT ref: 00BCEE2B
_wcslen.LIBCMT ref: 00BCEE5A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: cc29b8e023ce0fc8fff1297bba620e47201b3d98fcb793194db202c5fd376237
Instruction ID: f2bd29289de704be0bf733d6b79551ad65d479a58ca0ddfb7f38bef225dd3758
Opcode Fuzzy Hash: cc29b8e023ce0fc8fff1297bba620e47201b3d98fcb793194db202c5fd376237
Instruction Fuzzy Hash: BB418365C10119B6CB21FBB4C88AACFB7E8AF45710F5084A7E528E3172FB34D655C3A5

Function 00B7F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00B7F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BBF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BBF454

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 76d1cc5174ab850c2e64f49eb4f4d03495febd78eb9e249f66e0cc35852c02dd
Instruction ID: dced9dd6682ce9a39781d1d660f8e1c8ddac22809183e66c86f6e5e2d71fd03b
Opcode Fuzzy Hash: 76d1cc5174ab850c2e64f49eb4f4d03495febd78eb9e249f66e0cc35852c02dd
Instruction Fuzzy Hash: 9C41F831608642BBC7399B2D8DC87BA7BD2EB56310F14C4BCE66F57660DA71E880CB15

Function 00BF2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BF2D1B
GetDC.USER32(00000000), ref: 00BF2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BF2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00BF2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BF2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BF2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BF5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00BF2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BF2DE1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d82331c70930a2e59056d8741134deae886f41c1d011bdb9a7dd6daa419c73c0
Instruction ID: 613d5b36c4ff6a7eea2501f5d643b411f537d021f8f459bc4b868a3e6b165938
Opcode Fuzzy Hash: d82331c70930a2e59056d8741134deae886f41c1d011bdb9a7dd6daa419c73c0
Instruction Fuzzy Hash: 91317C76201618BBEB118F50CC89FBB3FA9EB09711F044065FE08DB291CA759C95C7A0

Function 00BC5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BC5637
_memcmp.LIBVCRUNTIME ref: 00BC5659
_memcmp.LIBVCRUNTIME ref: 00BC5671
_memcmp.LIBVCRUNTIME ref: 00BC5684
_memcmp.LIBVCRUNTIME ref: 00BC569E
_memcmp.LIBVCRUNTIME ref: 00BC56B1
_memcmp.LIBVCRUNTIME ref: 00BC56C9
_memcmp.LIBVCRUNTIME ref: 00BC56E4

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 938d8fa97ffa333bdb66455a3f433932943f92d119dfdebac5534f5312d2196b
Instruction ID: 10d0d7793e72490df4f11d1104a24b9d657e36314f92b375968173210a135cf4
Opcode Fuzzy Hash: 938d8fa97ffa333bdb66455a3f433932943f92d119dfdebac5534f5312d2196b
Instruction Fuzzy Hash: B521A761641A1A77D624AE248D82FBA33DCEF21384F4404F9FE049B591F721FD95C2A9

Function 00BE4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00BE5007
NULL Pointer assignment, xrefs: 00BE502E, 00BE5383

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d47b7dad24b17b9cb19a45c4db4ccc40c30807d1a6c143e7f38272194f3d54b5
Instruction ID: ac2fdc356ff952315e573d323f962a4986ab324afa8414d2bc5f1ec2e213f01f
Opcode Fuzzy Hash: d47b7dad24b17b9cb19a45c4db4ccc40c30807d1a6c143e7f38272194f3d54b5
Instruction Fuzzy Hash: 30D1B371A0064A9FDF20CF99C881BAEB7F5FF48358F1481A9E915AB281E770DD45CB50

Function 00BA1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BA15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BA1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BA17FB,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BA16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BA16FB

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BA1777
__freea.LIBCMT ref: 00BA17A2
__freea.LIBCMT ref: 00BA17AE

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9a23e65992c7ca0c7672f64fce822725ae70a034ad371052dd16c617fae4244f
Instruction ID: bf60ec053638ef62ee9cdbfd8ad0e1fba2925c1b3753182f89bac65c82ac3a8b
Opcode Fuzzy Hash: 9a23e65992c7ca0c7672f64fce822725ae70a034ad371052dd16c617fae4244f
Instruction Fuzzy Hash: D991C571E082169ADF648E7CC881EEE7BF5DF5A710F184AA9E802E7181DB35DD40CB60

Function 00BE4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE4648
VariantInit.OLEAUT32(?), ref: 00BE4749
VariantClear.OLEAUT32(?), ref: 00BE4753
VariantClear.OLEAUT32(?), ref: 00BE47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00BE45D8, 00BE4706, 00BE47BE
Incorrect Object type in FOR..IN loop, xrefs: 00BE472C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 917767db85fb183244fd4c5598ec669fa5560aa29edc537b9c9e581a2c627c88
Instruction ID: 4784eb15f87aa7c2332968a474570f57347111e2528e92ca192fed2518548a86
Opcode Fuzzy Hash: 917767db85fb183244fd4c5598ec669fa5560aa29edc537b9c9e581a2c627c88
Instruction Fuzzy Hash: 1A917F71A00259AFDF20CFA6D884FAEBBF8EF46714F108599F515AB280D7709D45CBA0

Function 00BD1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00BD125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BD1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00BD12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD1430

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: ae30a13b547af6d466318d0246182dc7fc1c52f89f7ef356b5737d287e0766da
Instruction ID: 05dcdb139bf826fc901a052c3850097aba3dd4a4eb93897ff1c4104956f300ce
Opcode Fuzzy Hash: ae30a13b547af6d466318d0246182dc7fc1c52f89f7ef356b5737d287e0766da
Instruction Fuzzy Hash: 5491AF71A00209AFDB009F98C885BBEB7F5FF45325F1488AAE910E7391E775A941CF94

Function 00B7948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 20f52b5242d2c8aca5a0fc8db78c598802b7526467f84aae4834beea3381aaf3
Instruction ID: 7e0f5f80849f88698f780e25daf0d9980e83fc5a7025ac35b65323ce7dfb073a
Opcode Fuzzy Hash: 20f52b5242d2c8aca5a0fc8db78c598802b7526467f84aae4834beea3381aaf3
Instruction Fuzzy Hash: 8E911571D44219EFCB10CFA9C884AEEBBF8FF89320F148595E525B7251D774AA42CB60

Function 00BE3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE396B
CharUpperBuffW.USER32(?,?), ref: 00BE3A7A
_wcslen.LIBCMT ref: 00BE3A8A
VariantClear.OLEAUT32(?), ref: 00BE3C1F

Part of subcall function 00BD0CDF: VariantInit.OLEAUT32(00000000), ref: 00BD0D1F
Part of subcall function 00BD0CDF: VariantCopy.OLEAUT32(?,?), ref: 00BD0D28
Part of subcall function 00BD0CDF: VariantClear.OLEAUT32(?), ref: 00BD0D34

Strings

AUTOIT.ERROR, xrefs: 00BE3A80, 00BE3A85
Incorrect Parameter format, xrefs: 00BE39A6, 00BE3BA1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a61ff1b1a45ad5571287f459a37441b2eb445af1aa4ca6871157dfff3246b9b2
Instruction ID: fe477084ab3aa2942362a2812249800ce5f61d8af616535cc425329bdf147282
Opcode Fuzzy Hash: a61ff1b1a45ad5571287f459a37441b2eb445af1aa4ca6871157dfff3246b9b2
Instruction Fuzzy Hash: 37918B746083459FC700DF29C58496AB7E4FF88714F1488AEF88A9B351DB31EE45CB92

Function 00BE4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00BC000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?,?,00BC035E), ref: 00BC002B
Part of subcall function 00BC000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0046
Part of subcall function 00BC000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0054
Part of subcall function 00BC000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?), ref: 00BC0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00BE4C51
_wcslen.LIBCMT ref: 00BE4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00BE4DCF
CoTaskMemFree.OLE32(?), ref: 00BE4DDA

Strings

NULL Pointer assignment, xrefs: 00BE4E23, 00BE4E52

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6defa4a1fc88a2fd9ba0e56d4b2eb8cf282caea402dc7ea7fc74cb32c8d27545
Instruction ID: de88e52f17a56de4ae72d9372a387f2defdd04dd0f202cc3a4db50950f8bba51
Opcode Fuzzy Hash: 6defa4a1fc88a2fd9ba0e56d4b2eb8cf282caea402dc7ea7fc74cb32c8d27545
Instruction Fuzzy Hash: 49910471D0025DAFDF14DFA5D891AEEBBB8FF08300F1085A9E915A7291EB749A44CF60

Function 00BF20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BF2183
GetMenuItemCount.USER32(00000000), ref: 00BF21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BF21DD
_wcslen.LIBCMT ref: 00BF2213
GetMenuItemID.USER32(?,?), ref: 00BF224D
GetSubMenu.USER32(?,?), ref: 00BF225B

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BF22E3

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 570156e559a9660b73b5a70cf24e223e0a487b63616a15038ae644abd108d993
Instruction ID: ddd7979de55ee07af6c4959d8520a24ef909db7ec5ba5baf360e9900f26db47a
Opcode Fuzzy Hash: 570156e559a9660b73b5a70cf24e223e0a487b63616a15038ae644abd108d993
Instruction Fuzzy Hash: 30714E75A00209AFCB14DFA4C885ABEBBF5EF48310F148499E956EB351DB34EE45CB90

Function 00BF7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01605530), ref: 00BF7F37
IsWindowEnabled.USER32(01605530), ref: 00BF7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BF801E
SendMessageW.USER32(01605530,000000B0,?,?), ref: 00BF8051
IsDlgButtonChecked.USER32(?,?), ref: 00BF8089
GetWindowLongW.USER32(01605530,000000EC), ref: 00BF80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BF80C3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a7082954fe187c4fa6857d1cd91af081781db5546297be8fffbd1268ca1e88ad
Instruction ID: 04d9626f55bfff08a8ae17f42585e7e823280b1daba2f402153c2301ea3bea05
Opcode Fuzzy Hash: a7082954fe187c4fa6857d1cd91af081781db5546297be8fffbd1268ca1e88ad
Instruction Fuzzy Hash: 37717D3464824DAFEB219F64C884FFABBF9EF19300F1444D9EA45972A1CF31A949DB50

Function 00BCAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BCAEF9
GetKeyboardState.USER32(?), ref: 00BCAF0E
SetKeyboardState.USER32(?), ref: 00BCAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BCAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BCAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BCAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BCB020

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0f44895ca20cb1f9d6363384e78c3b6732fbf3c71687d0aafb281eaf8c0448df
Instruction ID: 44dab5380b61decde1b2667889c437abb2c498baf5f7e3f75ab7e1f71d826201
Opcode Fuzzy Hash: 0f44895ca20cb1f9d6363384e78c3b6732fbf3c71687d0aafb281eaf8c0448df
Instruction Fuzzy Hash: 2F5192A06046D93DFB3652348C46FBE7EE99B06308F0885CDE1D5968C2D7A9ACC4D752

Function 00BCACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BCAD19
GetKeyboardState.USER32(?), ref: 00BCAD2E
SetKeyboardState.USER32(?), ref: 00BCAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BCADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BCADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BCAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BCAE38

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1c6fbea113725d3e65dc7c496383735b0b49fdffcc88a16578e95761a1eddf4a
Instruction ID: 4ac61b30f1aab688da738adc49e129bdf5e42709dbda6ec14ac173848e07fa56
Opcode Fuzzy Hash: 1c6fbea113725d3e65dc7c496383735b0b49fdffcc88a16578e95761a1eddf4a
Instruction Fuzzy Hash: FB51E6A15047DA3DFB3283348C85F7ABEE89B45309F0884DCE1D6968C3C694EC84D7A2

Function 00B9542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00BA3CD6,?,?,?,?,?,?,?,?,00B95BA3,?,?,00BA3CD6,?,?), ref: 00B95470
__fassign.LIBCMT ref: 00B954EB
__fassign.LIBCMT ref: 00B95506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BA3CD6,00000005,00000000,00000000), ref: 00B9552C
WriteFile.KERNEL32(?,00BA3CD6,00000000,00B95BA3,00000000,?,?,?,?,?,?,?,?,?,00B95BA3,?), ref: 00B9554B
WriteFile.KERNEL32(?,?,00000001,00B95BA3,00000000,?,?,?,?,?,?,?,?,?,00B95BA3,?), ref: 00B95584

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1674fec7c898b2e5c991e4f0af44a96eeac21a51c66c2ed311893efc215f128a
Instruction ID: 0a278ce0bdc047bed412c5ec7e6f9c2ae2abcb15ca8b8bf63413664988776301
Opcode Fuzzy Hash: 1674fec7c898b2e5c991e4f0af44a96eeac21a51c66c2ed311893efc215f128a
Instruction Fuzzy Hash: 9551D471A006099FDF21CFA8D885BEEBBF9EF19300F1541AAF555E7292D7309A41CB60

Function 00B82D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B82D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00B82D53
_ValidateLocalCookies.LIBCMT ref: 00B82DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00B82E0C
_ValidateLocalCookies.LIBCMT ref: 00B82E61

Strings

csm, xrefs: 00B82DF6

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 298818f65833379b2e4e7318679e50d1d115c487f2c9566d1446ffc0b33e30c0
Instruction ID: 728a610ab9a0c00dbdf6108306ff88c35d47b9eea178f02f16bdb945ee8367be
Opcode Fuzzy Hash: 298818f65833379b2e4e7318679e50d1d115c487f2c9566d1446ffc0b33e30c0
Instruction Fuzzy Hash: 51418434A00209ABCF10EF68C885A9EBFF5FF45724F1481A5E8156B3B2D7759A15CBD0

Function 00BE10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
Part of subcall function 00BE304E: _wcslen.LIBCMT ref: 00BE309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BE1112
WSAGetLastError.WSOCK32 ref: 00BE1121
WSAGetLastError.WSOCK32 ref: 00BE11C9
closesocket.WSOCK32(00000000), ref: 00BE11F9

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: bb3c34883fe33be57e19f99cae1a1b6caa95d5b657b3777c125d0268922837cf
Instruction ID: 178760ef1a448ab2add51490d1e508bf99e404e67b8e2be4be6fad29c6336f54
Opcode Fuzzy Hash: bb3c34883fe33be57e19f99cae1a1b6caa95d5b657b3777c125d0268922837cf
Instruction Fuzzy Hash: F7411A31600144AFDB109F59C884BB9BBE9FF45354F248499FD05AB291CB74ED85CBE2

Function 00BCCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BCCF22,?), ref: 00BCDDFD

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BCCF22,?), ref: 00BCDE16

lstrcmpiW.KERNEL32(?,?), ref: 00BCCF45
MoveFileW.KERNEL32(?,?), ref: 00BCCF7F
_wcslen.LIBCMT ref: 00BCD005
_wcslen.LIBCMT ref: 00BCD01B
SHFileOperationW.SHELL32(?), ref: 00BCD061

Strings

\*.*, xrefs: 00BCCFF3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5d61f9c1b35af916270c271e9d96351e8ad6711e2bdba58130cb1b380fc5658b
Instruction ID: 96a9312dcedbbef6d34e3d54b5aa2a3607b9f0f5da5eb45fbde109f639f702f2
Opcode Fuzzy Hash: 5d61f9c1b35af916270c271e9d96351e8ad6711e2bdba58130cb1b380fc5658b
Instruction Fuzzy Hash: 084143759052189EDF12EBA4C981FDDB7F8EF18380F0000EEE509EB141EA34A688CB50

Function 00BF2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BF2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00BF2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00BF2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BF2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BF2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00BF2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF2F0B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8e41bca9ddd2d1a2ececaaad011cb0d036b35b56258a52b8299bfef9a7126969
Instruction ID: 5283d219c2857174a77466762a577f6b29e53b22423390235bf35208ac44c10a
Opcode Fuzzy Hash: 8e41bca9ddd2d1a2ececaaad011cb0d036b35b56258a52b8299bfef9a7126969
Instruction Fuzzy Hash: 4031F630654258EFDB218F58DD85F793BE1EB5A720F2901A4FA00CF2B1CB71A848DB41

Function 00BC7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC778F
SysAllocString.OLEAUT32(00000000), ref: 00BC7792
SysAllocString.OLEAUT32(?), ref: 00BC77B0
SysFreeString.OLEAUT32(?), ref: 00BC77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00BC77DE
SysAllocString.OLEAUT32(?), ref: 00BC77EC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: edd7ac9559e1480b75d51d9733f95a0221d3f1f60a8691118d4d1ea2487db0b5
Instruction ID: 822dbbe826ae9475395a4b68bf0b75ea139edadf68f7f03b6913acaffc19c3ca
Opcode Fuzzy Hash: edd7ac9559e1480b75d51d9733f95a0221d3f1f60a8691118d4d1ea2487db0b5
Instruction Fuzzy Hash: F821B27660421DAFDB10DFA8CC88DBB77ECEB09364700806AF914DB250DA70DC85CBA4

Function 00BC77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7868
SysAllocString.OLEAUT32(00000000), ref: 00BC786B
SysAllocString.OLEAUT32 ref: 00BC788C
SysFreeString.OLEAUT32 ref: 00BC7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00BC78AF
SysAllocString.OLEAUT32(?), ref: 00BC78BD

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fb5a6797466a4004c0e21ed0da070d83acaf04175e195c344a7683ab4218515b
Instruction ID: 83ffa6d2e784f7297a58d6582b2d49a25ea08bc8789b2e16b557d8f26b79dacb
Opcode Fuzzy Hash: fb5a6797466a4004c0e21ed0da070d83acaf04175e195c344a7683ab4218515b
Instruction Fuzzy Hash: DD214735604109AFDB109FA9DC8DEBA7BECEB097607108169FA15CB2A1DE74DC41CB64

Function 00BD04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00BD04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD052E

Strings

nul, xrefs: 00BD0567

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 44a3fae4aadc80ca9fe2d3e7c5e53d8e9519a81449a17f2b109b6a29f660dc8a
Instruction ID: 342fd00cc89bdbd42cacd7480db5d3186b9712561f22af3560d750a5c7c60eb9
Opcode Fuzzy Hash: 44a3fae4aadc80ca9fe2d3e7c5e53d8e9519a81449a17f2b109b6a29f660dc8a
Instruction Fuzzy Hash: 3E215175510305DBDB20AF29E885B5ABBF4EF54728F204A5AECA1D72E0E7709950DF20

Function 00BD05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BD05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD0601

Strings

nul, xrefs: 00BD0639

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 49207d3eb4eed52e4c087f90ebd99865c52a00a456db0109f904b399409a6b64
Instruction ID: 3587786f35b7ec6815b5e14d395a1af839df1fe66bc1f7fe985b89f489608e3f
Opcode Fuzzy Hash: 49207d3eb4eed52e4c087f90ebd99865c52a00a456db0109f904b399409a6b64
Instruction Fuzzy Hash: 6D2144755103059BDB20AF799C44B5AB7E4EF95724F200A9AE8A1E73D0E770D960CB10

Function 00BF40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
Part of subcall function 00B6600E: GetStockObject.GDI32(00000011), ref: 00B66060
Part of subcall function 00B6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BF4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BF411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BF412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BF4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BF4145

Strings

Msctls_Progress32, xrefs: 00BF40E3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 430d87b5db8039b733a1c62fe98d17b35f8ac72e2d0627e2df1395276f91d410
Instruction ID: 05421f643ad82d52a49812f3a427ac5dbf58bfa20cd516cf30d69e4c86a24ba2
Opcode Fuzzy Hash: 430d87b5db8039b733a1c62fe98d17b35f8ac72e2d0627e2df1395276f91d410
Instruction Fuzzy Hash: B2118EB215021DBEEF118E64CC85EE77F9DEF08798F014110BB18A7090CB729C61DBA4

Function 00B9D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D7A3: _free.LIBCMT ref: 00B9D7CC

_free.LIBCMT ref: 00B9D82D

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9D838
_free.LIBCMT ref: 00B9D843
_free.LIBCMT ref: 00B9D897
_free.LIBCMT ref: 00B9D8A2
_free.LIBCMT ref: 00B9D8AD
_free.LIBCMT ref: 00B9D8B8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 92cd939704d49c68216578c674035423cf9d4060196888192ea6c8844692a1be
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 33112B71940B04BADE21FFF1CC47FCB7BDCAF04700F4148B5B29DA6592DA69B90586A0

Function 00BCDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BCDA74
LoadStringW.USER32(00000000), ref: 00BCDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BCDA91
LoadStringW.USER32(00000000), ref: 00BCDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BCDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BCDAB9

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 138e56dbda104e7ee105c574f21f29be7fe1050a26865bbd4532e1fd39b84ae5
Instruction ID: 644244fd1f52abecd460ef13b69c2c8a6f4b70d819f95df686f9875255324ff5
Opcode Fuzzy Hash: 138e56dbda104e7ee105c574f21f29be7fe1050a26865bbd4532e1fd39b84ae5
Instruction Fuzzy Hash: 880162F650020C7FE750ABA49E89EF7766CE708701F4004A5B746E3041EA749EC48F74

Function 00BD096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(015FE248,015FE248), ref: 00BD097B
EnterCriticalSection.KERNEL32(015FE228,00000000), ref: 00BD098D
TerminateThread.KERNEL32(?,000001F6), ref: 00BD099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00BD09A9
CloseHandle.KERNEL32(?), ref: 00BD09B8
InterlockedExchange.KERNEL32(015FE248,000001F6), ref: 00BD09C8
LeaveCriticalSection.KERNEL32(015FE228), ref: 00BD09CF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c595e68e132ce3e507036ecb0f50c8b340c8c6451729c17a28b8845f472e66bb
Instruction ID: e6b52668b84aa7a284f2734b90cb95db28f99b3390085713a84c6fef983a6f9b
Opcode Fuzzy Hash: c595e68e132ce3e507036ecb0f50c8b340c8c6451729c17a28b8845f472e66bb
Instruction Fuzzy Hash: 84F01D31442506ABD7415B94EF88BE6BA25FF01702F501016F101928A0DB7494A5DF90

Function 00BE1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BE1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BE1DE1
WSAGetLastError.WSOCK32 ref: 00BE1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00BE1EDB
inet_ntoa.WSOCK32(?), ref: 00BE1E8C

Part of subcall function 00BC39E8: _strlen.LIBCMT ref: 00BC39F2

Part of subcall function 00BE3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00BDEC0C), ref: 00BE3240

_strlen.LIBCMT ref: 00BE1F35

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 56ae02fd3e8ba1ebd635b9292a73b13393efa30339d7f3469b8b1b062bd0bed3
Instruction ID: c1067ec90bcf36aa480a64769bf376ff3ada06823b6363ed119b609cc2de4ad9
Opcode Fuzzy Hash: 56ae02fd3e8ba1ebd635b9292a73b13393efa30339d7f3469b8b1b062bd0bed3
Instruction Fuzzy Hash: C4B1B231204380AFC324DF29C895E2A7BE5EF84318F64899CF4569B2E2DB71ED45CB91

Function 00B65D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B65D30
GetWindowRect.USER32(?,?), ref: 00B65D71
ScreenToClient.USER32(?,?), ref: 00B65D99
GetClientRect.USER32(?,?), ref: 00B65ED7
GetWindowRect.USER32(?,?), ref: 00B65EF8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6a58de99e7ba4e720471cf613b1d6e4d21ad30164529f388395ca975073bd219
Instruction ID: e098f947d25a4f1485226cc08f9921528fedaae72109c9d756d527279d0251f7
Opcode Fuzzy Hash: 6a58de99e7ba4e720471cf613b1d6e4d21ad30164529f388395ca975073bd219
Instruction Fuzzy Hash: 3BB17A34A0464ADFDB20CFA8C4807EEB7F1FF58310F14845AE8A9D7250DB78AA61DB50

Function 00B901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B900D6
__allrem.LIBCMT ref: 00B900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B9010B
__allrem.LIBCMT ref: 00B90122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B90140

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: c7a4d79a12cd9cddd16cb0ee4c1e0667e016db6e5ee0e07ef3345d6209432145
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 6181E572A017169FEB24BF68CC81B6BB3E9EF41724F2445BAF551D6291E770D900CB90

Function 00B961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B882D9,00B882D9,?,?,?,00B9644F,00000001,00000001,8BE85006), ref: 00B96258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B9644F,00000001,00000001,8BE85006,?,?,?), ref: 00B962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B963D8
__freea.LIBCMT ref: 00B963E5

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

__freea.LIBCMT ref: 00B963EE
__freea.LIBCMT ref: 00B96413

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3e503fa73bdb211c55b68cdbdf18da1dbe0a2f157913ab0ca7e1eccc259fc775
Instruction ID: ea4978aee00d3f5a66997484be552d2524c8bfe2efb2833054e53c7826f36015
Opcode Fuzzy Hash: 3e503fa73bdb211c55b68cdbdf18da1dbe0a2f157913ab0ca7e1eccc259fc775
Instruction Fuzzy Hash: A451CF72A04216ABEF268F68CC81EAF7BE9EB44750F1546B9F805D7140EB34DC50D664

Function 00BEBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEBD25
RegCloseKey.ADVAPI32(00000000), ref: 00BEBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BEBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BEBDF3
RegCloseKey.ADVAPI32(?), ref: 00BEBDFF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a1285a2bc1d901ca86a3d8db8c259a8835f396938e4758039ca014eae45f99c0
Instruction ID: a16a8b3298521ecb86673f712827c83a6546bfe9b57734365195ddd9200e5bd6
Opcode Fuzzy Hash: a1285a2bc1d901ca86a3d8db8c259a8835f396938e4758039ca014eae45f99c0
Instruction Fuzzy Hash: D3816F31118241AFD714DF25C895E2BBBE5FF84308F1489ACF55A4B2A2DB31ED45CB92

Function 00BBF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00BBF7B9
SysAllocString.OLEAUT32(00000001), ref: 00BBF860
VariantCopy.OLEAUT32(00BBFA64,00000000), ref: 00BBF889
VariantClear.OLEAUT32(00BBFA64), ref: 00BBF8AD
VariantCopy.OLEAUT32(00BBFA64,00000000), ref: 00BBF8B1
VariantClear.OLEAUT32(?), ref: 00BBF8BB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 09001759130babd51df05526df99466abfddfa1892354091bf684c31396fba03
Instruction ID: dde9eef3057df425278935626b781da9cf32d06906812d368c6e3b19ca9abbc3
Opcode Fuzzy Hash: 09001759130babd51df05526df99466abfddfa1892354091bf684c31396fba03
Instruction Fuzzy Hash: E6519E31600312BBCF24AB65DC95BB9B3E8EF45710B2494F7E906DF291DAB08C40CB96

Function 00BD910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00BD94E5
_wcslen.LIBCMT ref: 00BD9506
_wcslen.LIBCMT ref: 00BD952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00BD9585

Strings

X, xrefs: 00BD9412

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e983db2d0b0274a70016e625f6e6fd2ede7b3931b0a478f425ee05380dd13c90
Instruction ID: 584c3c7a00f78273f104e760d8b5fcb326d78d65d90af0731ca50cc3a25b8b07
Opcode Fuzzy Hash: e983db2d0b0274a70016e625f6e6fd2ede7b3931b0a478f425ee05380dd13c90
Instruction Fuzzy Hash: 25E1A2315043009FD724EF24C881A6AB7E4FF95314F1489AEF8999B3A2EB31DD45CB92

Function 00B7920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

BeginPaint.USER32(?,?,?), ref: 00B79241
GetWindowRect.USER32(?,?), ref: 00B792A5
ScreenToClient.USER32(?,?), ref: 00B792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B792D3
EndPaint.USER32(?,?,?,?,?), ref: 00B79321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BB71EA

Part of subcall function 00B79339: BeginPath.GDI32(00000000), ref: 00B79357

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3d322bc52137260b679e7604c641a8a3d31ff6d2a727a39541148276263cbe29
Instruction ID: 7d86c8ae4e42f309bfd45307eb9c9f27d410ebf6ade2e62de31476b87927a25b
Opcode Fuzzy Hash: 3d322bc52137260b679e7604c641a8a3d31ff6d2a727a39541148276263cbe29
Instruction Fuzzy Hash: FA41AD70108300AFD710DF28DC84FBA7BE8EF85320F1442A9F9A9972A2CB719845DB61

Function 00BD07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00BD080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00BD0847
EnterCriticalSection.KERNEL32(?), ref: 00BD0863
LeaveCriticalSection.KERNEL32(?), ref: 00BD08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00BD08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BD0921

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c19d436e14ff761a374b7d88b21498dd6f9619bfb1072f9f9ab3710d1b828edd
Instruction ID: 9db1c0a9fbf72fcb768f456900bb8eb1392b3fd88f20d8c9afd803c623774bc1
Opcode Fuzzy Hash: c19d436e14ff761a374b7d88b21498dd6f9619bfb1072f9f9ab3710d1b828edd
Instruction Fuzzy Hash: 17417C71910205EBDF14AF54DC85B6ABBB8FF04300F1480A5ED04AB297EB31DE65DBA4

Function 00BF81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BBF3AB,00000000,?,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BF824C
EnableWindow.USER32(?,00000000), ref: 00BF8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BF82D1
ShowWindow.USER32(?,00000004), ref: 00BF82E5
EnableWindow.USER32(?,00000001), ref: 00BF830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BF832F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: db0b944bde3579417e84244d78c08606f022c8f7999c88ad9192916f89449613
Instruction ID: 515ab2914329974fea48a7b2ff0ce42810cccc390e0771bb2fe8b574a935e470
Opcode Fuzzy Hash: db0b944bde3579417e84244d78c08606f022c8f7999c88ad9192916f89449613
Instruction Fuzzy Hash: F9413234601648EFDB16CF15D999BF87BE1FB4A714F1841A9EA084B272CB31A849CF54

Function 00BC4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BC4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BC4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BC4CEA
_wcslen.LIBCMT ref: 00BC4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BC4D10
_wcsstr.LIBVCRUNTIME ref: 00BC4D1A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 607c0a409a31b8de6a8e3f396231a94f2562fd8aee3246561cd7d94351f67c4a
Instruction ID: 2c63171db84ee437f95b903624d8dee3750b38071dbefdd816830d5d77d28236
Opcode Fuzzy Hash: 607c0a409a31b8de6a8e3f396231a94f2562fd8aee3246561cd7d94351f67c4a
Instruction Fuzzy Hash: 3421C5326042057BEB256B299D59F7B7BE8DF45750F1080BDF80ACB1A1EB61DD40D6A0

Function 00BD581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

_wcslen.LIBCMT ref: 00BD587B
CoInitialize.OLE32(00000000), ref: 00BD5995
CoCreateInstance.OLE32(00BFFCF8,00000000,00000001,00BFFB68,?), ref: 00BD59AE
CoUninitialize.OLE32 ref: 00BD59CC

Strings

.lnk, xrefs: 00BD5876, 00BD58C1, 00BD5985

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 0bc86a027a8cf54faaffde3444f2545e9efc12f2a6d729f3303af093f9abdc6f
Instruction ID: a3ee5d9709c4a83cf9aceb63a00e9f42b3d97be1b823ca1c2d6c8a1d7061d08f
Opcode Fuzzy Hash: 0bc86a027a8cf54faaffde3444f2545e9efc12f2a6d729f3303af093f9abdc6f
Instruction Fuzzy Hash: CDD154716047019FC724DF24C490A2AFBE5EF89714F14889EF88A9B361EB35EC45CB92

Function 00BC175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC0FCA
Part of subcall function 00BC0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC0FD6
Part of subcall function 00BC0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC0FE5
Part of subcall function 00BC0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC0FEC
Part of subcall function 00BC0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC1002

GetLengthSid.ADVAPI32(?,00000000,00BC1335), ref: 00BC17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BC17BA
HeapAlloc.KERNEL32(00000000), ref: 00BC17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BC17DA
GetProcessHeap.KERNEL32(00000000,00000000,00BC1335), ref: 00BC17EE
HeapFree.KERNEL32(00000000), ref: 00BC17F5

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7a0bac7c0c966abb5cbd259a161d76c912078d5fe6f40f6caf718aed1f615309
Instruction ID: 4e0b49b38e720cc359cd8a23dce4f66657bd9b27626dde9761a68ec64a3cc5c2
Opcode Fuzzy Hash: 7a0bac7c0c966abb5cbd259a161d76c912078d5fe6f40f6caf718aed1f615309
Instruction Fuzzy Hash: 10118C71500209EFDB109FA8CD49FAE7BE9EF42355F10485DE441A7211CB359D95CB60

Function 00BC14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BC14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00BC1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BC1515
CloseHandle.KERNEL32(00000004), ref: 00BC1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BC154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00BC1563

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b31095102a73a5da545ff9d438654744a7f795b3effcc9d9ac27af2a8db7aa99
Instruction ID: 130f9bef2bc3f02b651f40dd5428dda9b7566cdcacc9cc889831d1bd6a213091
Opcode Fuzzy Hash: b31095102a73a5da545ff9d438654744a7f795b3effcc9d9ac27af2a8db7aa99
Instruction Fuzzy Hash: 6D11597250020DABDF11CFA8DE49FEE7BA9EF49744F044058FA05A2160C771CEA5EB60

Function 00B83382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B83379,00B82FE5), ref: 00B83390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B8339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B833B7
SetLastError.KERNEL32(00000000,?,00B83379,00B82FE5), ref: 00B83409

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0d25e61c4b57a033284fe3e44e08a692f9a234869d8179054a229a6ece3e2b97
Instruction ID: d0e2358e1caa019ecfcc505d96e39735c58ea9f8761cb98bb1ac4c60f0ab9cc8
Opcode Fuzzy Hash: 0d25e61c4b57a033284fe3e44e08a692f9a234869d8179054a229a6ece3e2b97
Instruction Fuzzy Hash: 3601D43261D311BEAA2537B8BCC5B6E2AD4EB05F7972002A9F410822F1EF114E02D788

Function 00B92D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B95686,00BA3CD6,?,00000000,?,00B95B6A,?,?,?,?,?,00B8E6D1,?,00C28A48), ref: 00B92D78
_free.LIBCMT ref: 00B92DAB
_free.LIBCMT ref: 00B92DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00B8E6D1,?,00C28A48,00000010,00B64F4A,?,?,00000000,00BA3CD6), ref: 00B92DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00B8E6D1,?,00C28A48,00000010,00B64F4A,?,?,00000000,00BA3CD6), ref: 00B92DEC
_abort.LIBCMT ref: 00B92DF2

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a143a439da81c05d4d07b3c38238b145a5ce406d604cb91b71ff899a1185d2a1
Instruction ID: 9b5849caaac8cd4e276f359096ef2949949d83b9e82681affa0352a4513cc1dd
Opcode Fuzzy Hash: a143a439da81c05d4d07b3c38238b145a5ce406d604cb91b71ff899a1185d2a1
Instruction Fuzzy Hash: 56F0A436D0560037CE226738AC46F2E29E9EFC27A1F2505B9F824932A2EE34884241A0

Function 00BF8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796A2
Part of subcall function 00B79639: BeginPath.GDI32(?), ref: 00B796B9
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BF8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00BF8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BF8A70
LineTo.GDI32(?,00000000,00000003), ref: 00BF8A80
EndPath.GDI32(?), ref: 00BF8A90
StrokePath.GDI32(?), ref: 00BF8AA0

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 78bf04cc8f7ce7ec9003ccabc6fa8e9e3effc5c792bb9130602c6aa0aae12700
Instruction ID: a4f0c500e77750c55e7ce9d60acc84c35834f009bc996b8f0f842d0217b79591
Opcode Fuzzy Hash: 78bf04cc8f7ce7ec9003ccabc6fa8e9e3effc5c792bb9130602c6aa0aae12700
Instruction Fuzzy Hash: 1E11C97600010DFFDB129F94DD88FAA7FADEB08354F048052BA199B1A1DB719D95DBA0

Function 00BC51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BC5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BC5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC5230
ReleaseDC.USER32(00000000,00000000), ref: 00BC5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BC524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00BC5261

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5f04c63ee24f6239d48db4e1521d1f1a710b76d5f55b84ee21d9cac9dc18eabf
Instruction ID: 12390649eb028f6a91a75c3d3eef5b661f1fb75106c8442db70dc2c8f1d382ab
Opcode Fuzzy Hash: 5f04c63ee24f6239d48db4e1521d1f1a710b76d5f55b84ee21d9cac9dc18eabf
Instruction Fuzzy Hash: 9C018F75A00708BBEB109BA59D49F6EBFB8EB48351F044065FA04EB380DA709850CBA0

Function 00B61BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B61BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B61BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B61C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B61C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B61C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B61C22

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f0f65917348a286a9d721dca1227baca62466f0b9dc45aa6a7076a32fe05225d
Instruction ID: e7ec3db64bf007369be1484dda33aed18ca5ecd60fb317313d04a77bc7b2ed6a
Opcode Fuzzy Hash: f0f65917348a286a9d721dca1227baca62466f0b9dc45aa6a7076a32fe05225d
Instruction Fuzzy Hash: D5016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00BCEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BCEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BCEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00BCEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB75

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1cb417ab88f70b97c87315c1c40cc94aba8d91c8224abc4f0a118cc41a8fe71b
Instruction ID: fb9115e4b6dc9fa0d6b187e19d71a22c91b993787f9eb2de9eb7c11bdd7d950d
Opcode Fuzzy Hash: 1cb417ab88f70b97c87315c1c40cc94aba8d91c8224abc4f0a118cc41a8fe71b
Instruction Fuzzy Hash: 49F01772240158BBE7215B629D0EEFB3E7CEFCAB11F000158F611E30919BA05A41D6B5

Function 00BB7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00BB7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00BB7469
GetWindowDC.USER32(?), ref: 00BB7475
GetPixel.GDI32(00000000,?,?), ref: 00BB7484
ReleaseDC.USER32(?,00000000), ref: 00BB7496
GetSysColor.USER32(00000005), ref: 00BB74B0

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3e7ea766de640aa8ed81f92d89451bcb9db2bf8946fdd86c87026cfc1f5e26b1
Instruction ID: 70aac4c39f47842a9a5437f909f4ca8c252afc03c7aeaa1e930484fb1075ca58
Opcode Fuzzy Hash: 3e7ea766de640aa8ed81f92d89451bcb9db2bf8946fdd86c87026cfc1f5e26b1
Instruction Fuzzy Hash: 08014031404209EFEB505BA4DE09BBA7EB5FB04322F2400A0E926A32A0CF311E91EB10

Function 00BC1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC187F
UnloadUserProfile.USERENV(?,?), ref: 00BC188B
CloseHandle.KERNEL32(?), ref: 00BC1894
CloseHandle.KERNEL32(?), ref: 00BC189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC18A5
HeapFree.KERNEL32(00000000), ref: 00BC18AC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5b8cd7b2282abcf9d9b55b85b60f92b3e93368151b2af008d33e6ba6d73bcb2c
Instruction ID: a9d707b0d2b30bf5ac819f359464e056480c78b574b2bf929c7154cf26a746fd
Opcode Fuzzy Hash: 5b8cd7b2282abcf9d9b55b85b60f92b3e93368151b2af008d33e6ba6d73bcb2c
Instruction Fuzzy Hash: 7DE0C236004109BBDA016BA1EE0CD1ABF29FF49B22B108220F22593070CF3294B0EB50

Function 00BCC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BCC6EE
_wcslen.LIBCMT ref: 00BCC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BCC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BCC7CA

Strings

0, xrefs: 00BCC6AF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 42fa805668c10dac0d33ffe2cf4fd01bdb99acd78beb3a8bf1023f5ce45ae86d
Instruction ID: 0fa090313945fc4dfd1c7dde76c8d17c3c6360e14bb3786779de5da33e15dfa2
Opcode Fuzzy Hash: 42fa805668c10dac0d33ffe2cf4fd01bdb99acd78beb3a8bf1023f5ce45ae86d
Instruction Fuzzy Hash: D551BE716143019BD7119F28C985F6BBBE4EB69310F080AAEF999D31A0DB74DD04CB56

Function 00BEAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00BEAEA3

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

GetProcessId.KERNEL32(00000000), ref: 00BEAF38
CloseHandle.KERNEL32(00000000), ref: 00BEAF67

Strings

<, xrefs: 00BEAE6B
@, xrefs: 00BEAE72

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: cefb6b1b906f6967d888e35fb3b1ced45880445c77c0b098c225dc3c326a006c
Instruction ID: ddec7bcabedff63ca9ecce53857f19a07013b881a314e2686aa5939d9e327e96
Opcode Fuzzy Hash: cefb6b1b906f6967d888e35fb3b1ced45880445c77c0b098c225dc3c326a006c
Instruction Fuzzy Hash: 59715670A00259DFCB14EF55C494A9EBBF4FF08314F148499E81AAB3A2CB74ED45CB91

Function 00BC719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BC7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BC723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BC724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BC72CF

Strings

DllGetClassObject, xrefs: 00BC7242

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c797d73879f708d6ac1b41da0c128a1c28d2b321324fb9322b4397f591c095f7
Instruction ID: 212bc71b234119c132469deefe61589ad35dc7d2369b277f7d638a7480410086
Opcode Fuzzy Hash: c797d73879f708d6ac1b41da0c128a1c28d2b321324fb9322b4397f591c095f7
Instruction Fuzzy Hash: 6D411A71A44204AFDB15CF54C984FAA7BE9EF45310B2480ADBD099F20ADBB1DA45CFA0

Function 00BF3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF3E35
IsMenu.USER32(?), ref: 00BF3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF3E92
DrawMenuBar.USER32 ref: 00BF3EA5

Strings

0, xrefs: 00BF3D89

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5d65b27fff5db33f3b56fad76d58d20dd0845f8670274fb1c807e107055e31f8
Instruction ID: 099920541fdd8f7566eaa677b0b17bc342731ab6ed43834f63ac86a7688e3257
Opcode Fuzzy Hash: 5d65b27fff5db33f3b56fad76d58d20dd0845f8670274fb1c807e107055e31f8
Instruction Fuzzy Hash: DC412475A1120DEFDF10DF60D884AEABBF9FF48764F0441A9EA05A7250D730AE49CB60

Function 00BC1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BC1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BC1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BC1EA9

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Strings

ListBox, xrefs: 00BC1E25
ComboBox, xrefs: 00BC1DF0

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b18495e93dfef16f38c9496a4091b4c67888a37f78552795a5afcebadbca4641
Instruction ID: a85e5f4f829e58b650c2d12a6f94db08c946ab4b2b9efa15d6ccd132cb3bebfe
Opcode Fuzzy Hash: b18495e93dfef16f38c9496a4091b4c67888a37f78552795a5afcebadbca4641
Instruction Fuzzy Hash: 6C213571A00109BBDB14AB68DD46DFFBBF8DF46350B1485ADF825E31E2DB38494AC620

Function 00BF2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BF2F8D
LoadLibraryW.KERNEL32(?), ref: 00BF2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BF2FA9
DestroyWindow.USER32(?), ref: 00BF2FB1

Strings

SysAnimate32, xrefs: 00BF2F68

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6034d1f6c542770ac4193e8bb5f04b981f61065badb8f7d509cfc4832cde167d
Instruction ID: 382ad4b961e5294a09213c52082f864c75dc6c5e3272bf45d15c21c246e04562
Opcode Fuzzy Hash: 6034d1f6c542770ac4193e8bb5f04b981f61065badb8f7d509cfc4832cde167d
Instruction Fuzzy Hash: 2721977222420AABEB104FA4DC80EBB37F9EB69364F104668FA50D31A0D771DC959760

Function 00B84D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B84D1E,00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002), ref: 00B84D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B84DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00B84D1E,00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000), ref: 00B84DC3

Strings

mscoree.dll, xrefs: 00B84D86
CorExitProcess, xrefs: 00B84D98

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c58a28c722a5ccbffa1faf875c6c25a8ab1ceaf6dd2c3e25eaa41fb45a62465
Instruction ID: 7985d461c7e29fb880a7633de9cce7ee5cbea796bffa3bfaff8a75aeb089338d
Opcode Fuzzy Hash: 4c58a28c722a5ccbffa1faf875c6c25a8ab1ceaf6dd2c3e25eaa41fb45a62465
Instruction Fuzzy Hash: B4F03C34A40219ABDB11AB94DD49BAEBFF5EF44751F0000A4A809A36A0CF745E94CB91

Function 00B64E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64EAE
FreeLibrary.KERNEL32(00000000,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00B64EA8
kernel32.dll, xrefs: 00B64E94

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d77d8c085f3bcca413307422f9e50021e30f2b33103bc6a9a171fbe987f62046
Instruction ID: 04bb6d0d7d370203b3e571386688a4f5af7010cfa1fac1893f1aadaaed79cadb
Opcode Fuzzy Hash: d77d8c085f3bcca413307422f9e50021e30f2b33103bc6a9a171fbe987f62046
Instruction Fuzzy Hash: 09E0CD35E019365BD23117257D18B7F69D4EF81F627050165FD04F3111DF68CE45C4A0

Function 00B64E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64E74
FreeLibrary.KERNEL32(00000000,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E87

Strings

kernel32.dll, xrefs: 00B64E5B
Wow64RevertWow64FsRedirection, xrefs: 00B64E6E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 657966b4e0b9391d8d7dd75778a5639409031f19dc425a0a7e956a67133886c6
Instruction ID: 45dffb9b90085b16ba97048670ef24e25219371248e47046fb9115fd399583db
Opcode Fuzzy Hash: 657966b4e0b9391d8d7dd75778a5639409031f19dc425a0a7e956a67133886c6
Instruction Fuzzy Hash: C7D0C239502A365B46221B247C08EAB6E58EF81B113050161B904B3110CF29CE52C1D0

Function 00BD2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2C05
DeleteFileW.KERNEL32(?), ref: 00BD2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BD2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2CC0

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a392adcae4d4d773a5c3e073597fd7466b0e9d6ee5380878cf9aa6bdc7ffdeec
Instruction ID: 06b4200732f028a7c8d19594177911e6bc17313dc5ee00d6cd9bd35ac5abf4bb
Opcode Fuzzy Hash: a392adcae4d4d773a5c3e073597fd7466b0e9d6ee5380878cf9aa6bdc7ffdeec
Instruction Fuzzy Hash: 21B13C71D00119ABDF21EBA4CC85EEEBBBDEF59350F1040E6F909A7251EA349E44CB61

Function 00BEA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00BEA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BEA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BEA468
CloseHandle.KERNEL32(?), ref: 00BEA63D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 580f5a3bab08eb919c49f71fe34b650059b0de3eceb49bd65b11678b1acce516
Instruction ID: b4d22cbb12453d829f53fa9c8f11ca24eb3cb4e312b159805aaf30972bb2d28b
Opcode Fuzzy Hash: 580f5a3bab08eb919c49f71fe34b650059b0de3eceb49bd65b11678b1acce516
Instruction Fuzzy Hash: 9EA18E71604340AFD720DF25C886F2AB7E5AF84714F14889DF59A9B392DBB4EC41CB92

Function 00B9BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C03700), ref: 00B9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C31270,000000FF,?,0000003F,00000000,?), ref: 00B9BC36
_free.LIBCMT ref: 00B9BB7F

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9BD4B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 3aafa2ece81c14385a96bffed8f9f0e87bd9a497c8fc7296f98dfec903819835
Instruction ID: 8736192072a22797bec6001265404353bff8d1ac24bcde561532392f151a6a47
Opcode Fuzzy Hash: 3aafa2ece81c14385a96bffed8f9f0e87bd9a497c8fc7296f98dfec903819835
Instruction Fuzzy Hash: F751CA71904209AFCF14EF65AE81EAEB7F8EF44360B1442FAE454D71A1DB709E41C790

Function 00BCE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BCCF22,?), ref: 00BCDDFD

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BCCF22,?), ref: 00BCDE16

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

lstrcmpiW.KERNEL32(?,?), ref: 00BCE473
MoveFileW.KERNEL32(?,?), ref: 00BCE4AC
_wcslen.LIBCMT ref: 00BCE5EB
_wcslen.LIBCMT ref: 00BCE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00BCE650

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 143d765cb7846b330ad04736f1e3a607c28e5951ada430c1ac29dbb5a26b9db1
Instruction ID: b09171b5480c546f82863b7ba67dbc14c80fac2e78afc5afaeba31addfd6922a
Opcode Fuzzy Hash: 143d765cb7846b330ad04736f1e3a607c28e5951ada430c1ac29dbb5a26b9db1
Instruction Fuzzy Hash: 46514FB24087459BC724EB90D881EDFB7ECEF94340F00496EF59993191EE74E688CB66

Function 00BEB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BEBB63
RegCloseKey.ADVAPI32(?,?), ref: 00BEBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00BEBBB3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 347f532e24463c481a67deb9dace676a55c364d769326daec6b0936bf4a00fee
Instruction ID: 9fa35ac41d19b13a34fbaaea0ac02d3e34490cb526495f10b8069032d1dfea74
Opcode Fuzzy Hash: 347f532e24463c481a67deb9dace676a55c364d769326daec6b0936bf4a00fee
Instruction Fuzzy Hash: 25618131208241AFD714DF25C890E2BBBE5FF84348F5495ACF4998B2A2DB35ED45CB92

Function 00BC8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BC8BCD
VariantClear.OLEAUT32 ref: 00BC8C3E
VariantClear.OLEAUT32 ref: 00BC8C9D
VariantClear.OLEAUT32(?), ref: 00BC8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BC8D3B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ea2f38f77451a6e484b91f11472ea0c620b94ac91a57ea151065f53377315a84
Instruction ID: 257a24d76785055fa94d7b2b900574b8a7f99b29993b93b253bc904a12c619f2
Opcode Fuzzy Hash: ea2f38f77451a6e484b91f11472ea0c620b94ac91a57ea151065f53377315a84
Instruction Fuzzy Hash: B0515BB5A00219EFCB14CF58D894EAABBF5FF89310B15856DE906DB350E730E911CB90

Function 00BD8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BD8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00BD8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BD8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BD8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BD8C5F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 14e880dcbeffa3a002986fe43e3cccbd1f2d791f86079dac355414d1c1a5bd5b
Instruction ID: 7a6acc52a455250e220334d9d30c85e5c854eb337b498718bf04898a9b7a85c4
Opcode Fuzzy Hash: 14e880dcbeffa3a002986fe43e3cccbd1f2d791f86079dac355414d1c1a5bd5b
Instruction Fuzzy Hash: 3A515A35A10219EFCB05DF64C880A6DBBF5FF48314F088099E84AAB362DB35ED51CB90

Function 00BE8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00BE8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00BE8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BE8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00BE9032
FreeLibrary.KERNEL32(00000000), ref: 00BE9052

Part of subcall function 00B7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00BD1043,?,7529E610), ref: 00B7F6E6
Part of subcall function 00B7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BBFA64,00000000,00000000,?,?,00BD1043,?,7529E610,?,00BBFA64), ref: 00B7F70D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3b0805eac6c84ed49ce590193140337fcb75576026ce52c55fa49256b09a6e40
Instruction ID: ce72ddf07ffb619fa484046b561da2ae6ec0ee74c7dcebf335a6ebb61b405c85
Opcode Fuzzy Hash: 3b0805eac6c84ed49ce590193140337fcb75576026ce52c55fa49256b09a6e40
Instruction Fuzzy Hash: 11513835600645DFCB11DF59C4948ADBBF1FF59324B0480E9E80AAB362DB31ED85CB90

Function 00BF6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00BF6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00BF6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00BF6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00BDAB79,00000000,00000000), ref: 00BF6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00BF6CC7

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 626ff1ee4e8029142c522ca9cf36d1410532ea3751f8d785316362d80282b7c6
Instruction ID: 4fa8cf00e02610c1c98bf31e2b48553f849cc0f4d94e99fdc34c898c725b1a11
Opcode Fuzzy Hash: 626ff1ee4e8029142c522ca9cf36d1410532ea3751f8d785316362d80282b7c6
Instruction Fuzzy Hash: B941AF35A04108AFDB24CF68CD99FB97BE5EB09360F1502A8EE95E72A1C771AD45CA40

Function 00B92051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B920C3
_free.LIBCMT ref: 00B920E3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c59e0398f1c20ccf84b78b4d21f438ba11cdbada708ddaf19d8bbf5bd38b20ca
Instruction ID: bf089363635f7fa964a4b40d5d3d1993e19ed568f7a343aafa5b36af7d96a6a5
Opcode Fuzzy Hash: c59e0398f1c20ccf84b78b4d21f438ba11cdbada708ddaf19d8bbf5bd38b20ca
Instruction Fuzzy Hash: 8241AF32E00210AFCF24DF78C881A6DB7E5EF89314F1585B9E615EB392DA31AD01CB81

Function 00B7912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B79141
ScreenToClient.USER32(00000000,?), ref: 00B7915E
GetAsyncKeyState.USER32(00000001), ref: 00B79183
GetAsyncKeyState.USER32(00000002), ref: 00B7919D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bdda7b454c86e7539a06be4d4a908f87d1cd7eb0dccd7496594005b74bf8291c
Instruction ID: f6933155710367d3133cc1a196fbd9de9ef1e65793b959a437478036545e2e48
Opcode Fuzzy Hash: bdda7b454c86e7539a06be4d4a908f87d1cd7eb0dccd7496594005b74bf8291c
Instruction Fuzzy Hash: 7D416E7190850ABBDF059F68C844BFEB7B4FB45320F208295E429B72D0CB745954DBA1

Function 00BD3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BD38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00BD3922
TranslateMessage.USER32(?), ref: 00BD394B
DispatchMessageW.USER32(?), ref: 00BD3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD3966

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4b98ec6da0f0593bc7613cc22c9cea3923fa53c700a82442e1a619babfdbfb94
Instruction ID: 5e79f1c35f966855a9d6d4d8edfeb7beda31f368aee9c6cb5997400793ccd23f
Opcode Fuzzy Hash: 4b98ec6da0f0593bc7613cc22c9cea3923fa53c700a82442e1a619babfdbfb94
Instruction Fuzzy Hash: FB31FB705143419EEB35CB349898B76BBE4DB05710F0805ABE463832E2F7F99A84DB13

Function 00BDCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00BDCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFF2

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 715246694df2c5b5acc6069df7f63959a26c75487c830c3a9480f85bf46e36bc
Instruction ID: fad84aafe533676f2a08b15ed646965d53ff12a239306c0620b9260f55ad508f
Opcode Fuzzy Hash: 715246694df2c5b5acc6069df7f63959a26c75487c830c3a9480f85bf46e36bc
Instruction Fuzzy Hash: F4312F71504206AFDB20DFA5C9849ABBFF9EB14351B1044AEF51AD3251EB30AD49DB60

Function 00BC1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BC1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00BC19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00BC19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00BC19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00BC19E2

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3ae4c43f1d29fe559be876aad6e0f0e14372aceb9f6de411ebac2edd2b86c8e6
Instruction ID: fa263ea4d20b9ff15390b8633494e508820ee7d44931ea3395d833d455e8124c
Opcode Fuzzy Hash: 3ae4c43f1d29fe559be876aad6e0f0e14372aceb9f6de411ebac2edd2b86c8e6
Instruction Fuzzy Hash: F731CF71A00219EFCB00CFACC998BEE7BB5EB05314F108669F921E72D1C7B09955CB90

Function 00BF5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BF5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BF579D
_wcslen.LIBCMT ref: 00BF57AF
_wcslen.LIBCMT ref: 00BF57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF5816

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5855abe6ee3dd5c84b2f7edab7d9c400760b1a2c82711f19973a92897ce4c1c4
Instruction ID: 20ea9a62e8c37ddf25d34b1d7fce10280fbe2276e367a7b5c893d778a73a63ae
Opcode Fuzzy Hash: 5855abe6ee3dd5c84b2f7edab7d9c400760b1a2c82711f19973a92897ce4c1c4
Instruction Fuzzy Hash: F521307190461CAADB309F64CC85AFDBBF8EF04724F108296EB29EB194D7709989CF50

Function 00BE0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BE0951
GetForegroundWindow.USER32 ref: 00BE0968
GetDC.USER32(00000000), ref: 00BE09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00BE09B0
ReleaseDC.USER32(00000000,00000003), ref: 00BE09E8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b3d5d251b33e81f544bc9fc23685e74d6a010a897067fe7b4eda70c495bf6514
Instruction ID: 2cdd91d11ba6004a2fabb7a7077e68ba4f44e4c411aa0241662e14c011f1bfe5
Opcode Fuzzy Hash: b3d5d251b33e81f544bc9fc23685e74d6a010a897067fe7b4eda70c495bf6514
Instruction Fuzzy Hash: FA219335600204AFD704EF69D984AAEBBF5EF44700F0484ADF84AD7362DB74AD44CB50

Function 00B9CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B9CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B9CDE9

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B9CE0F
_free.LIBCMT ref: 00B9CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9CE31

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 275461099c054bf378a9320df33f2de97eda8e09029a4deed161e7844112cdd0
Instruction ID: 17d637374272fa676da1ee0ad5a1826ccd3785572fa2fb1932679dd6ed5cb9a0
Opcode Fuzzy Hash: 275461099c054bf378a9320df33f2de97eda8e09029a4deed161e7844112cdd0
Instruction Fuzzy Hash: EF01D472601A157F2B211ABA6C88C7B6EEDDEC6BA131501B9F906D7200EE609E01C2B4

Function 00B79639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
SelectObject.GDI32(?,00000000), ref: 00B796A2
BeginPath.GDI32(?), ref: 00B796B9
SelectObject.GDI32(?,00000000), ref: 00B796E2

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7a963d730cc0a759ec70035eeddb446674b7b29fad70cf6bdfbdbd2afb9a4e86
Instruction ID: ff0afcd27ffec59acc371080a0ebf8946ad9ca9fb18d318510da65025d26f311
Opcode Fuzzy Hash: 7a963d730cc0a759ec70035eeddb446674b7b29fad70cf6bdfbdbd2afb9a4e86
Instruction Fuzzy Hash: 36217C30812305EFDB119F28ED08BBD3BE8FB41725F188396F828A71A0D7709991CB94

Function 00BC5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BC5726
_memcmp.LIBVCRUNTIME ref: 00BC5744
_memcmp.LIBVCRUNTIME ref: 00BC5757
_memcmp.LIBVCRUNTIME ref: 00BC576F
_memcmp.LIBVCRUNTIME ref: 00BC5787

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 15f3affdbab19036f0874525d4148cb5555da34de9258615f664166dbe04835c
Instruction ID: e2b11cbef11613b6e2878b2a49103dd010621e982a8b7e102d88f9fe3fb3765b
Opcode Fuzzy Hash: 15f3affdbab19036f0874525d4148cb5555da34de9258615f664166dbe04835c
Instruction Fuzzy Hash: 59019671741619BA922866149D82FBA63DCDF21394B0044AAFE049B251F660FD95C2A8

Function 00B92DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6), ref: 00B92DFD
_free.LIBCMT ref: 00B92E32
_free.LIBCMT ref: 00B92E59
SetLastError.KERNEL32(00000000,00B61129), ref: 00B92E66
SetLastError.KERNEL32(00000000,00B61129), ref: 00B92E6F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ab89fb94a0a24751f479d508f6ce39e8f0da4824cfb8fb93993389a8187c8b59
Instruction ID: 0f7634020965e4e23ee2e83bb1d8afa43b6dca3e4e819759692b05f081f0fd49
Opcode Fuzzy Hash: ab89fb94a0a24751f479d508f6ce39e8f0da4824cfb8fb93993389a8187c8b59
Instruction Fuzzy Hash: A801A432E45E007BCE1267746DC6E2F2AEDEFD17A5B2540B9F425A3292EF748C414160

Function 00BC000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?,?,00BC035E), ref: 00BC002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?), ref: 00BC0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0070

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 65c03519d2b984e7fad8bb4b6e078180deed23bfd653066e96fed2e15385818f
Instruction ID: 63ee7f907a7a3f93215cd4d3223324cf917b230b33f2c9d600a8162422ca895f
Opcode Fuzzy Hash: 65c03519d2b984e7fad8bb4b6e078180deed23bfd653066e96fed2e15385818f
Instruction Fuzzy Hash: EB017872610208EBDB116F68ED44FBA7EEDEB44792F154168F905D3210EB71DD808BA0

Function 00BCE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00BCE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00BCE9A5
Sleep.KERNEL32(00000000), ref: 00BCE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00BCE9B7
Sleep.KERNEL32 ref: 00BCE9F3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: abe3a935ddab4894fb2abfc23cb6262445d387017f124a2f4ff8374c7710bf31
Instruction ID: b3b31a8491767dc1ddb20fda7542b2439dc9ce6f7cbebd4a77bc9453cf381466
Opcode Fuzzy Hash: abe3a935ddab4894fb2abfc23cb6262445d387017f124a2f4ff8374c7710bf31
Instruction Fuzzy Hash: 5F015B31C0152DDBCF009BE4D949BEDBBB8FF09700F00458AE512B3140CB709691C761

Function 00BC10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 99900af56b0b4e855f4421ba562fa7dbebba298f2fa4ccfbac145f7c61b7eac8
Instruction ID: 4397722efd2e0f99e69dcd69761ff486307b5d5e008e5e242cff739933c14546
Opcode Fuzzy Hash: 99900af56b0b4e855f4421ba562fa7dbebba298f2fa4ccfbac145f7c61b7eac8
Instruction Fuzzy Hash: DC016975200209BFDB115FA8DD49E6A3FAEEF8A3A0B240458FA41E3360DF31DD50CA60

Function 00BC0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC1002

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 936ad223598d764f8570a9ea3764de7504efa193dcf759752b0dacfdce58db1f
Instruction ID: fbad009cf51d697a4753cc4703fa8df460f11a25b617b02d68066083942ce72b
Opcode Fuzzy Hash: 936ad223598d764f8570a9ea3764de7504efa193dcf759752b0dacfdce58db1f
Instruction Fuzzy Hash: 04F04F35100305ABD7214FA89D49F663FADEF8A761F114455FA45D7251CE70DC90CA60

Function 00BC1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1062

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ad757b49923f5aeef3b1bd0bfe3e44efd95c5b9e39a064aee57795e43ca3d403
Instruction ID: ec296a61ed3218a6803b28c5a8e9a23e32b77eb7c7780ee85f0e715d8cbd06b9
Opcode Fuzzy Hash: ad757b49923f5aeef3b1bd0bfe3e44efd95c5b9e39a064aee57795e43ca3d403
Instruction Fuzzy Hash: 3FF06D35240309EBDB215FA8ED49F663FADEF8A761F210818FE45E7251CE70D990CA60

Function 00BD030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0324
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0331
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD033E
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD034B
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0358
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0365

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 83703273b3e065cc907a27b8d34bbfe75b7c692ce09b8e700c2161ae9dec6e77
Instruction ID: 483bcf64eedabcf0c3e701d156d4fee600ff7b3044dd7c6f80d224fc220773a2
Opcode Fuzzy Hash: 83703273b3e065cc907a27b8d34bbfe75b7c692ce09b8e700c2161ae9dec6e77
Instruction Fuzzy Hash: BB01EE72800B058FCB30AF66D880812FBF9FF603253058A3FD19252A30C3B0A998CF84

Function 00B9D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9D752

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9D764
_free.LIBCMT ref: 00B9D776
_free.LIBCMT ref: 00B9D788
_free.LIBCMT ref: 00B9D79A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2a958a70170cfddb5bdf42502541db6a1297df8dcbbf72aa6a80f756127bd71e
Instruction ID: 02fcbf584666ef8764ed7c4bb6734f25ba44e78799aaaa8cd4b7f1f349f051ae
Opcode Fuzzy Hash: 2a958a70170cfddb5bdf42502541db6a1297df8dcbbf72aa6a80f756127bd71e
Instruction Fuzzy Hash: B3F0FF32954204ABCA21EBA5F9C5E1E77DDFB447107A508A5F04CE7A51CB24FC8086A4

Function 00BC5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BC5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BC5C6F
MessageBeep.USER32(00000000), ref: 00BC5C87
KillTimer.USER32(?,0000040A), ref: 00BC5CA3
EndDialog.USER32(?,00000001), ref: 00BC5CBD

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 23e48524f3dadbcbeb7428d135896715bc3dd975064b2c48f535f9b07b951e80
Instruction ID: 81c10f070d55f98790de775bc8cd5e52053cd4b74897acf5278700de4de9f7d5
Opcode Fuzzy Hash: 23e48524f3dadbcbeb7428d135896715bc3dd975064b2c48f535f9b07b951e80
Instruction Fuzzy Hash: 85011230504B08ABEB315B10DE4EFA67BF8FB04B05F04159DA592A34E1DBF4B9C8CA90

Function 00B922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B922BE

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B922D0
_free.LIBCMT ref: 00B922E3
_free.LIBCMT ref: 00B922F4
_free.LIBCMT ref: 00B92305

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce54eaaff56d3c3f9ba28989fff83e6acd73b358ff7eebd1c4a9428bad82b8d2
Instruction ID: 317de6f3d4c37173c311067874a6247ed5f55cdce27eac43df33d7510f50fa2e
Opcode Fuzzy Hash: ce54eaaff56d3c3f9ba28989fff83e6acd73b358ff7eebd1c4a9428bad82b8d2
Instruction Fuzzy Hash: 53F05E71C20620AF8E22EF94BC41B0D3BE4F71876071405AAF814D63B1C7310912EFE4

Function 00B795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B795D4
StrokeAndFillPath.GDI32(?,?,00BB71F7,00000000,?,?,?), ref: 00B795F0
SelectObject.GDI32(?,00000000), ref: 00B79603
DeleteObject.GDI32 ref: 00B79616
StrokePath.GDI32(?), ref: 00B79631

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 566690ac6dd55763d6495676b6ba935614e7c2373e4c45a404025a2e0bd9cc76
Instruction ID: c30a26b86a19ecde1cba983a1aa1974cf889c94462fb587e58e21431da063e2b
Opcode Fuzzy Hash: 566690ac6dd55763d6495676b6ba935614e7c2373e4c45a404025a2e0bd9cc76
Instruction Fuzzy Hash: 49F0C935015708EFDB169F65EE18B683FA5EB11332F088354F869560F1CB308AA5DF20

Function 00B90F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B910F9
__freea.LIBCMT ref: 00B91117

Part of subcall function 00B91537: _free.LIBCMT ref: 00B9154F

Strings

am/pm, xrefs: 00B9117A
a/p, xrefs: 00B911DE

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4c14d949fcccbc6103ba7bfc2d8db7c5cb285a8f16a603bc6266113ff1e09033
Instruction ID: e621cf13604ea87f267c507a219d1a9e3afafe4d041b97439285087cb1685e2b
Opcode Fuzzy Hash: 4c14d949fcccbc6103ba7bfc2d8db7c5cb285a8f16a603bc6266113ff1e09033
Instruction Fuzzy Hash: 9BD1D031904207EADF299F6CC895BBAB7F0EF05700F2449F9E901AB651D3359D80EB65

Function 00BE7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00B80242: EnterCriticalSection.KERNEL32(00C3070C,00C31884,?,?,00B7198B,00C32518,?,?,?,00B612F9,00000000), ref: 00B8024D
Part of subcall function 00B80242: LeaveCriticalSection.KERNEL32(00C3070C,?,00B7198B,00C32518,?,?,?,00B612F9,00000000), ref: 00B8028A

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00B800A3: __onexit.LIBCMT ref: 00B800A9

__Init_thread_footer.LIBCMT ref: 00BE7BFB

Part of subcall function 00B801F8: EnterCriticalSection.KERNEL32(00C3070C,?,?,00B78747,00C32514), ref: 00B80202
Part of subcall function 00B801F8: LeaveCriticalSection.KERNEL32(00C3070C,?,00B78747,00C32514), ref: 00B80235

Strings

G, xrefs: 00BE7C7F
Variable must be of type 'Object'., xrefs: 00BE7C3A
5, xrefs: 00BE7C78

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: c02b2705cae13d59684a8590d5c79d34782e5b0054fc1d594b7412ba4bb5026d
Instruction ID: bdabea0b558265132df91db7b114c34068b34645d05dbefce4518474bc727e14
Opcode Fuzzy Hash: c02b2705cae13d59684a8590d5c79d34782e5b0054fc1d594b7412ba4bb5026d
Instruction Fuzzy Hash: 6D91AA70A44289EFCB04EF55D8809BDB7F5FF48300F108099F806AB292DB71AE45CB91

Function 00BC2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BC21D0,?,?,00000034,00000800,?,00000034), ref: 00BCB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BC2760

Part of subcall function 00BCB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BCB3F8

Part of subcall function 00BCB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00BCB355
Part of subcall function 00BCB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BC2194,00000034,?,?,00001004,00000000,00000000), ref: 00BCB365
Part of subcall function 00BCB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BC2194,00000034,?,?,00001004,00000000,00000000), ref: 00BCB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BC27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BC281A

Strings

@, xrefs: 00BC2832

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b62b5bb811b864d6ec3d95926e0ac4eb382111e481a24a49fc8e78e08c42f5de
Instruction ID: 8962a3f6435fc98c9bad39578ac5631eee464436e54b8bb69b90cc8584861367
Opcode Fuzzy Hash: b62b5bb811b864d6ec3d95926e0ac4eb382111e481a24a49fc8e78e08c42f5de
Instruction Fuzzy Hash: 8341FB76900218AFDB10DBA4CD86FEEBBB8EF49700F104099FA55B7181DB706E45CBA1

Function 00B9172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00B91769
_free.LIBCMT ref: 00B91834
_free.LIBCMT ref: 00B9183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00B91760, 00B91767, 00B91796, 00B917CE

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 0a33d9840e2e57d967f4eec1febb7e87bbc9fb91141d5063d57d629e581b64b0
Instruction ID: 78155bc22b4b6eab409285b3bf6f03eceb0528bb4992866e43d6f8c93f6f0ba9
Opcode Fuzzy Hash: 0a33d9840e2e57d967f4eec1febb7e87bbc9fb91141d5063d57d629e581b64b0
Instruction Fuzzy Hash: 0F3150B5A0021AAFDF21DF999885E9EBBFCEB85350B1445F6F80497211D6708E41EBA0

Function 00BCC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BCC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00BCC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C31990,01605620), ref: 00BCC395

Strings

0, xrefs: 00BCC2DF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 167f8a68094778a338a67ad8ba595eef1763b55222adeb42537541a36c80f632
Instruction ID: 0b865291ee27b18092d269f193cf7965c8cb721a5180d7752fc91686c8220604
Opcode Fuzzy Hash: 167f8a68094778a338a67ad8ba595eef1763b55222adeb42537541a36c80f632
Instruction Fuzzy Hash: E94191712043419FD720DF24E885F1ABFE4EBE5310F10869DF8A9D7292D730A904CB66

Function 00BF4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BFCC08,00000000,?,?,?,?), ref: 00BF44AA
GetWindowLongW.USER32 ref: 00BF44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF44D7

Strings

SysTreeView32, xrefs: 00BF447C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cf52e181eef25015396354d2e5a592b79bd42ecd7e463f17ad2ade683551d730
Instruction ID: 5cb16f8f46c467e845109bf158ca25fd3d579c38e247afcbce9d7594970fbf58
Opcode Fuzzy Hash: cf52e181eef25015396354d2e5a592b79bd42ecd7e463f17ad2ade683551d730
Instruction Fuzzy Hash: 13316D31214209AFDB209E78DC45BEB7BE9EB08324F204755FA75A32E0DB74EC549B50

Function 00BE304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00BE3077,?,?), ref: 00BE3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
_wcslen.LIBCMT ref: 00BE309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00BE3106

Strings

255.255.255.255, xrefs: 00BE3095, 00BE309A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ce3382875029262488bea9f66f0619f13382eba5fbdeecc2bd51081f8501f7d9
Instruction ID: 83574f8d0f22482da9f42e050e0269e6a24cecbd1e0ac41e9bfe2cedc614db23
Opcode Fuzzy Hash: ce3382875029262488bea9f66f0619f13382eba5fbdeecc2bd51081f8501f7d9
Instruction Fuzzy Hash: 7331F3352002859FCB20CF6AC589FAA77E0EF54718F2480D9E8159B393CB36EE41C761

Function 00BF3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BF3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BF3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF3F78

Strings

SysMonthCal32, xrefs: 00BF3F0B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9af99fa777bbc112435367f00ddf7025000807ae7cfc3f847fae6d6d6ef32583
Instruction ID: e76235a1c1c6c3caa0888af6915e67c769a28bd168a993816779ac9257d1593f
Opcode Fuzzy Hash: 9af99fa777bbc112435367f00ddf7025000807ae7cfc3f847fae6d6d6ef32583
Instruction Fuzzy Hash: 2D219F32610219BFDF118F50DC86FEA3BB5EF48724F110254FA15AB1D0D6B5AD94CBA0

Function 00BF4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BF4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BF4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BF471A

Strings

msctls_updown32, xrefs: 00BF4684

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c97e0ce3644450e04dea76565fa59ea56d44e03adbd7bde72bc460aadb2a015b
Instruction ID: 3870e6325ff1b4ec5e7a008462262772166c8dc45a45c7876afa7384309f71fb
Opcode Fuzzy Hash: c97e0ce3644450e04dea76565fa59ea56d44e03adbd7bde72bc460aadb2a015b
Instruction Fuzzy Hash: 11213EB5604209AFDB10DF64DCD1EBB37EDEB9A3A8B040199FA009B251CB71EC55CB60

Function 00BC95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC961D

Strings

#OnAutoItStartRegister, xrefs: 00BC95F3
#requireadmin, xrefs: 00BC95D9
#notrayicon, xrefs: 00BC95B7

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 56a9c3566907a1f19f1b8ed051bf27796e993bc87f2c295eb91a49dadcae21d4
Instruction ID: 95d6f08b247bb3647ef477e5d99e20cb0bed692c822f33155f9c4baef3f37b3f
Opcode Fuzzy Hash: 56a9c3566907a1f19f1b8ed051bf27796e993bc87f2c295eb91a49dadcae21d4
Instruction Fuzzy Hash: DC21573220421167E331BB28DC4AFBB73D8EFA5714F5040BEFA8A97091EB65AD45C395

Function 00BF37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BF3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BF3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BF3876

Strings

Listbox, xrefs: 00BF380F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 816221c31188a2303ec3aa443db08c39593247fbb74adeec011db203d006f06e
Instruction ID: d51a26672cef85de5195f24a7b89dd43d743970454140857f0199e82d27722b4
Opcode Fuzzy Hash: 816221c31188a2303ec3aa443db08c39593247fbb74adeec011db203d006f06e
Instruction Fuzzy Hash: 5D21B072610118BBEB119F54CC81FBB37EAEF89B90F118164FA009B190CA75DC55C7A0

Function 00BD49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BD4A5C
SetErrorMode.KERNEL32(00000000,?,?,00BFCC08), ref: 00BD4AD0

Strings

%lu, xrefs: 00BD4A6F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7f2e020fa87a6b9bc42425b04d8961173d716ef45e52815863f646e92efd4dc9
Instruction ID: 3d76d8fa192781e058542c3723248ef8b6d144513ed5f25faa23ab7d5bd9f8d0
Opcode Fuzzy Hash: 7f2e020fa87a6b9bc42425b04d8961173d716ef45e52815863f646e92efd4dc9
Instruction Fuzzy Hash: A3314175A00109AFDB10DF54C985EAABBF8EF04318F1480A5F509DB362DB75EE45CB61

Function 00BF41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BF424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BF4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BF4271

Strings

msctls_trackbar32, xrefs: 00BF4226

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ba4d1719d45411638d6c2b74fac829815c501dc5790f99736169631f041cef5
Instruction ID: 9c6f0b6246125e4a8144bb1d1afa5602c56e8c378fe410bedd900defdd018c91
Opcode Fuzzy Hash: 7ba4d1719d45411638d6c2b74fac829815c501dc5790f99736169631f041cef5
Instruction Fuzzy Hash: 4B11CE31250248BEEF205E28CC46FBB3BE8EB85B64F010624FA55E70A0D671D851DB20

Function 00BC2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Part of subcall function 00BC2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BC2DC5
Part of subcall function 00BC2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC2DD6
Part of subcall function 00BC2DA7: GetCurrentThreadId.KERNEL32 ref: 00BC2DDD
Part of subcall function 00BC2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BC2DE4

GetFocus.USER32 ref: 00BC2F78

Part of subcall function 00BC2DEE: GetParent.USER32(00000000), ref: 00BC2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00BC2FC3
EnumChildWindows.USER32(?,00BC303B), ref: 00BC2FEB

Strings

%s%d, xrefs: 00BC2FFF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9a174489aad9e68919c3ae08db5b93bd919204ad90d5bb1f0739e7c823894539
Instruction ID: e5ae622abd35578b20979adb0f9cd0752049045824f789e7c83ffbd080b59c67
Opcode Fuzzy Hash: 9a174489aad9e68919c3ae08db5b93bd919204ad90d5bb1f0739e7c823894539
Instruction Fuzzy Hash: C6119071600209ABDF556F649C86FFE37EAAF94304F0480B9B9099B292DE7099498B60

Function 00BF5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BF58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BF58EE
DrawMenuBar.USER32(?), ref: 00BF58FD

Strings

0, xrefs: 00BF588F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: c05416cd8ba9b1bde517e63dd80adc9af005df52213ee6e6febe979e4d1df411
Instruction ID: f5f609239115ff110c10f86b3622ac1d6e61d76cb137bc555d55f5e6ef66180b
Opcode Fuzzy Hash: c05416cd8ba9b1bde517e63dd80adc9af005df52213ee6e6febe979e4d1df411
Instruction Fuzzy Hash: 4E012731500218AEDB219F25DC85BBABBB4FB45360F10C0D9EA49D7251DB708A88EF21

Function 00BC007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028cd8b6d1a30935a210dca48b8b5abd7c44564005934521eeead680cf553835
Instruction ID: f580e428b0b6067efb05a41bc7cb55a1ebe36304a47dd372b0a80815e652f51e
Opcode Fuzzy Hash: 028cd8b6d1a30935a210dca48b8b5abd7c44564005934521eeead680cf553835
Instruction Fuzzy Hash: 8BC14775A1021AEFDB14DFA8C894FAAB7B5FF88304F248598E505EB251D731EE41CB90

Function 00B93E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B93F0B
__alldvrm.LIBCMT ref: 00B9410C
__alldvrm.LIBCMT ref: 00B9412E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 561f21f11133bf88cdbaf92e6c43b666358b6c9c4dcc8d088982a42de72fce8a
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 0DA12476A042969FDF25CF28C891BAABFE5EF62350F1841FDE5859B281C3348982C750

Function 00BE342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BE3459
CoUninitialize.OLE32 ref: 00BE3463
VariantInit.OLEAUT32(?), ref: 00BE346E
VariantClear.OLEAUT32(?), ref: 00BE371B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 9a0db98d17dd02b0272f9e5453ab44142371d9d7127c31518b0663245d8f95c4
Instruction ID: b811ed85736baa0abff8271cea535327a93426f432dcca25f37aafeba0f6d0f4
Opcode Fuzzy Hash: 9a0db98d17dd02b0272f9e5453ab44142371d9d7127c31518b0663245d8f95c4
Instruction Fuzzy Hash: F2A15C752183009FC710DF29C595A2AB7E5FF88714F04889DF98A9B362DB34EE45CB91

Function 00BC0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC0608
CLSIDFromProgID.OLE32(?,?,00000000,00BFCC40,000000FF,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC062D
_memcmp.LIBVCRUNTIME ref: 00BC064E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 46d974dabc746846f938c24171a2334639eac11df185078e67e5f78b4568c2c7
Instruction ID: 7095cafc3edb9e0b33b39002795b7937c08592006e05b322acd508cbd6cf1916
Opcode Fuzzy Hash: 46d974dabc746846f938c24171a2334639eac11df185078e67e5f78b4568c2c7
Instruction Fuzzy Hash: 0981F771A10109EFCB04DF94C984EEEB7F9FF89315F204598E516AB250DB71AE46CB60

Function 00BEA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BEA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00BEA6BA

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Process32NextW.KERNEL32(00000000,?), ref: 00BEA79C
CloseHandle.KERNEL32(00000000), ref: 00BEA7AB

Part of subcall function 00B7CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BA3303,?), ref: 00B7CE8A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 6782b7267fee2d9fa8634d34deee698a57569ea56243619428e2dc6a10b55357
Instruction ID: 9e379616a46b1a419e7cdd80ea176a512aabf9c3996e3695fdc0da981411221c
Opcode Fuzzy Hash: 6782b7267fee2d9fa8634d34deee698a57569ea56243619428e2dc6a10b55357
Instruction Fuzzy Hash: 94514D715083409FD710EF25C886E6BBBE8FF89754F00895DF599972A1EB34E904CB92

Function 00BA1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BA14C0

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f990d31baaac1b997f84817c75fa151b11c77769295d323fadaa9d7c7c985caf
Instruction ID: f72489724c00b113058df7fea9db04c7339c3ab74d48cb35d38a9c71c94e7807
Opcode Fuzzy Hash: f990d31baaac1b997f84817c75fa151b11c77769295d323fadaa9d7c7c985caf
Instruction Fuzzy Hash: F5414931A08115ABDF617FBD8C85ABE3AE4EF4B370F144AE5F418D6391EA3448419BA1

Function 00BF6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF62E2
ScreenToClient.USER32(?,?), ref: 00BF6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00BF6382

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4e2008a2c03fe1035ae9ea9989e52b677b06dd251b4a06fa8664ca988b95311f
Instruction ID: 765628753a7a7b3cbabf58d20488951b4873fed8469f3c50262d6a4e54cf09a7
Opcode Fuzzy Hash: 4e2008a2c03fe1035ae9ea9989e52b677b06dd251b4a06fa8664ca988b95311f
Instruction Fuzzy Hash: 78511874A00209EFCB14DF68D980ABE7BF5EB55360F1481A9FE159B2A1D730ED85CB90

Function 00BE1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BE1AFD
WSAGetLastError.WSOCK32 ref: 00BE1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BE1B8A
WSAGetLastError.WSOCK32 ref: 00BE1B94

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2c34bf9661adbf8c64097e679a0d79dc390035caf36a233e706316a5aec383ea
Instruction ID: 60728a79e6192a405f8e5a2f01e85dd5f238c6500f6546cb80c9c617b0de4ed2
Opcode Fuzzy Hash: 2c34bf9661adbf8c64097e679a0d79dc390035caf36a233e706316a5aec383ea
Instruction Fuzzy Hash: 9441A034600200AFE720AF24C886F2A77E5EB44718F54C498F95A9F3D2D776ED41CB90

Function 00B9B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25a880021febd963755f2bf97e600434a61381399c9dc9229d71ea3b425b8b3
Instruction ID: c8f8dba693bb113e66d86ff29b24461e22aa0cca9f75fd0278024c48752e389c
Opcode Fuzzy Hash: b25a880021febd963755f2bf97e600434a61381399c9dc9229d71ea3b425b8b3
Instruction Fuzzy Hash: C441E275A00304AFDB24AF78D941FAABBE9EB88710F1045BEF151DB392D77199018780

Function 00BD56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BD5783
GetLastError.KERNEL32(?,00000000), ref: 00BD57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BD57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BD57FA

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b80457177f267fc60a7c2cdba9e05d11e262f653e63a16692b7c8843e8e63e6e
Instruction ID: 0337e65802d103bdcae73b2525830202a7319d0b874840b0a235dccc439e3b31
Opcode Fuzzy Hash: b80457177f267fc60a7c2cdba9e05d11e262f653e63a16692b7c8843e8e63e6e
Instruction Fuzzy Hash: 89415B39210610DFCB20EF15C554A5EBBF2EF99324B1884D9E84AAB362DB34FD40CB91

Function 00B9D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B86D71,00000000,00000000,00B882D9,?,00B882D9,?,00000001,00B86D71,8BE85006,00000001,00B882D9,00B882D9), ref: 00B9D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B9D9AB
__freea.LIBCMT ref: 00B9D9B4

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9e3da7b0e4ec6ab20deab0d400397c9535516d84edf37349c2325dd28ff8bc2f
Instruction ID: e9c4d980eb7775e76f7cddd91b3d99ec9cd6603866592fe1c35b26fe4d02fb24
Opcode Fuzzy Hash: 9e3da7b0e4ec6ab20deab0d400397c9535516d84edf37349c2325dd28ff8bc2f
Instruction Fuzzy Hash: 6831AE72A0020AABDF24AF65DC85EAE7BE5EB40710B1542A9FC05D7160EB35CD54CB90

Function 00BF52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00BF5352
GetWindowLongW.USER32(?,000000F0), ref: 00BF5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF53A8

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e76e2708ea77752b8d7d804448f2e4093cbd2fcf1d8838ed5ec1c383a90febbc
Instruction ID: 4554e05cd0cf2d08c77635921554c616d228d67370c8030a48c19da50832cd20
Opcode Fuzzy Hash: e76e2708ea77752b8d7d804448f2e4093cbd2fcf1d8838ed5ec1c383a90febbc
Instruction Fuzzy Hash: 57319234A55A0CEFEB309A1CCC45BF877E5EB05390F584181FB12971E1C7B09988DB4A

Function 00BCAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00BCABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BCAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BCAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00BCACC6

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b4e21755bce2cc00b8169e8dd6318e35796f503e5667dc6c8b0cf1c13caae8f
Instruction ID: ea022528e725d910f21317ea607730794c12a4a55afc3833e9bce53acfae9a6a
Opcode Fuzzy Hash: 2b4e21755bce2cc00b8169e8dd6318e35796f503e5667dc6c8b0cf1c13caae8f
Instruction Fuzzy Hash: A3311230A4421CAFFB248B688C09FFB7BE5EB89318F04429EE491971D1C374998587A2

Function 00BF7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BF769A
GetWindowRect.USER32(?,?), ref: 00BF7710
PtInRect.USER32(?,?,00BF8B89), ref: 00BF7720
MessageBeep.USER32(00000000), ref: 00BF778C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 805077369599b63997f5a55ec05ca79fd4b9c6f087140e5ef116aa20670970f7
Instruction ID: 751fe95a1aa11c3ba3eb1a87295b655ab3bf42d4a680cec02e3d3518cb35e95b
Opcode Fuzzy Hash: 805077369599b63997f5a55ec05ca79fd4b9c6f087140e5ef116aa20670970f7
Instruction Fuzzy Hash: 97416D34655218EFCB01EF58C894FB97BF5FB49314F1940E8EA249B261CB30AD49CB90

Function 00BF16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BF16EB

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

GetCaretPos.USER32(?), ref: 00BF16FF
ClientToScreen.USER32(00000000,?), ref: 00BF174C
GetForegroundWindow.USER32 ref: 00BF1752

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 81cfb653c61773f2927d37a0483970b6f51eb780492493a244588dc21a242b13
Instruction ID: a04757acb5833d8986e783c4a8a718bfaa5ac6e04069c1f647861e91df6204b4
Opcode Fuzzy Hash: 81cfb653c61773f2927d37a0483970b6f51eb780492493a244588dc21a242b13
Instruction Fuzzy Hash: D6313E75D00249AFC704EFA9C981DBEBBF9EF48304B5084AAE415E7211EA35DE45CFA0

Function 00BF8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetCursorPos.USER32(?), ref: 00BF9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BB7711,?,?,?,?,?), ref: 00BF9016
GetCursorPos.USER32(?), ref: 00BF905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BB7711,?,?,?), ref: 00BF9094

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7f2549eebf61840f4b2180d73f39c4eade524d36134dd750496beae7ac59fafb
Instruction ID: 03a83a3dc1ccc4c84b487391c4085837187644bacb100a397dd251e35d4c09aa
Opcode Fuzzy Hash: 7f2549eebf61840f4b2180d73f39c4eade524d36134dd750496beae7ac59fafb
Instruction Fuzzy Hash: 04216D3560011CEFDB258FA4C859FFA7BF9EB89360F1440A5FA058B2A1CB319994DF60

Function 00BCD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BFCB68), ref: 00BCD2FB
GetLastError.KERNEL32 ref: 00BCD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BCD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BFCB68), ref: 00BCD376

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 57a0d45449f13cfec7400fe4b22161d053a971d2905a1de3b2722cd8ff29de31
Instruction ID: 429f27679db1e851dcb4dd88c04f0065c9cb4267cc176da0072d550b38f1e145
Opcode Fuzzy Hash: 57a0d45449f13cfec7400fe4b22161d053a971d2905a1de3b2722cd8ff29de31
Instruction Fuzzy Hash: AA21B7745043059F8300DF24C98196E7BE8EF95364F104AADF495C72A1DB30D949CB97

Function 00BC1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC102A
Part of subcall function 00BC1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1036
Part of subcall function 00BC1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1045
Part of subcall function 00BC1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC104C
Part of subcall function 00BC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BC15BE
_memcmp.LIBVCRUNTIME ref: 00BC15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC1617
HeapFree.KERNEL32(00000000), ref: 00BC161E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6d832aa329d1d5ddae5e2d7cdef985bb63e115262e3121858b54b2001c375a77
Instruction ID: 9b0734dac24b7d1db9a3f4ec637d7d43512fe679e36a60c989faf155aed8817f
Opcode Fuzzy Hash: 6d832aa329d1d5ddae5e2d7cdef985bb63e115262e3121858b54b2001c375a77
Instruction Fuzzy Hash: 4F217C71E00108AFDB00DFA8C945FEEB7F8EF45344F184899E441B7242D730AA45DB50

Function 00BF2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BF280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BF2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BF2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BF2840

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 54e6f6949b5a1a2316d7c148d53a03e109e107546e3676dc1194c2c4055068a8
Instruction ID: fea500f652b9f9678b64519088c43727e050c8d103c1ef044aad224a2c78a6bd
Opcode Fuzzy Hash: 54e6f6949b5a1a2316d7c148d53a03e109e107546e3676dc1194c2c4055068a8
Instruction Fuzzy Hash: A4212131204119AFD7109B24C841FBA7BE5EF45324F148198F526CB6E2CB71FC86C790

Function 00BC78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?), ref: 00BC8D8C
Part of subcall function 00BC8D7D: lstrcpyW.KERNEL32(00000000,?,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC8DB2
Part of subcall function 00BC8D7D: lstrcmpiW.KERNEL32(00000000,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?), ref: 00BC8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7923
lstrcpyW.KERNEL32(00000000,?,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7984

Strings

cdecl, xrefs: 00BC797B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 3d894390f9684e28f1822249aa9f3c2390df21109e45cc32783e9c50a76543be
Instruction ID: aacb7449364b5f39c120b8b5af30f3566a860313e1c7820b71ae9a2e7ec01abb
Opcode Fuzzy Hash: 3d894390f9684e28f1822249aa9f3c2390df21109e45cc32783e9c50a76543be
Instruction Fuzzy Hash: ED11263A200302BBCB159F38D844E7A77E9FF85390B50806EF846C72A4EF719811CBA1

Function 00BF7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00BF7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00BF7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BF7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00BDB7AD,00000000), ref: 00BF7D6B

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 679ad0b3203e983e2872edb385764ceb974dc87c4166ee63132e43bdf28da443
Instruction ID: c0325f569df874c250cd9ebdd2c6188e0f8fbda47bcacbe049f402466ecbd58e
Opcode Fuzzy Hash: 679ad0b3203e983e2872edb385764ceb974dc87c4166ee63132e43bdf28da443
Instruction Fuzzy Hash: 8411AC75258619AFCB108F28CC04ABA3BE5EF45360B5583B4F939CB2E0DB308965CB80

Function 00BF5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00BF56BB
_wcslen.LIBCMT ref: 00BF56CD
_wcslen.LIBCMT ref: 00BF56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF5816

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e8d32471beb16865159df164003ad44c0ea685a4e47ede5c99f5fe0eb524ce85
Instruction ID: 075230d18467b01c07654758266691476637bd3b94771390f8fcca7a64f49856
Opcode Fuzzy Hash: e8d32471beb16865159df164003ad44c0ea685a4e47ede5c99f5fe0eb524ce85
Instruction Fuzzy Hash: 3811B47160060CAADB30AF61CCC5AFE77ECEF11760B1080A6FB15D7181EB709988CB64

Function 00B91D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72752929b44c8d9ad9736a4d1a0dd594ced88daa7b26ccba82aa7cf58e36602
Instruction ID: 5dacd50412efb4e713db70e28fdf487ac910c64d2faff7aa81f89e03c2264658
Opcode Fuzzy Hash: e72752929b44c8d9ad9736a4d1a0dd594ced88daa7b26ccba82aa7cf58e36602
Instruction Fuzzy Hash: 90014FB260561B7EFE11167C6CC1F67669DDF413B8B340BB5F535621E2DB608D40A170

Function 00BC1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BC1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A8A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 224c7db61abe98b8a2e2f7ebcc48eae10a24978635597dbc7f62f59e9eb2f7ce
Instruction ID: 3c834d8ad43b551803091f5c07fa7f8c6c3d1de160a23c4de16094ac92d127ee
Opcode Fuzzy Hash: 224c7db61abe98b8a2e2f7ebcc48eae10a24978635597dbc7f62f59e9eb2f7ce
Instruction Fuzzy Hash: A411393AD01219FFEB10DFA8CD85FADBBB8EB08750F200495EA10B7290D6716E50DB94

Function 00BCE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BCE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00BCE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BCE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BCE24D

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f394bbe7c9a9580682eb31f81ea143ce4f0c8d3a6ac6e298fb5926cbbc6269ab
Instruction ID: cca0b31f656596c6f317b54d692f4b29b65011d504012177a5a236af32b7b29a
Opcode Fuzzy Hash: f394bbe7c9a9580682eb31f81ea143ce4f0c8d3a6ac6e298fb5926cbbc6269ab
Instruction Fuzzy Hash: 0511C876904258BFC7019FA89C05FAE7FECDB45320F044259F924E72A1D770CD048BA0

Function 00B8D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B8CFF9,00000000,00000004,00000000), ref: 00B8D218
GetLastError.KERNEL32 ref: 00B8D224
__dosmaperr.LIBCMT ref: 00B8D22B
ResumeThread.KERNEL32(00000000), ref: 00B8D249

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f6aaabda64df2a4371873000517ff76b03ef44804e3230a93f537ed54017b087
Instruction ID: 82a56bf7cc15440a1299f11aa3570778857447ec703b21c1cbfafb7885cd3859
Opcode Fuzzy Hash: f6aaabda64df2a4371873000517ff76b03ef44804e3230a93f537ed54017b087
Instruction Fuzzy Hash: A601C036805209BBDB117FA5DC09AAA7FA9EF81330F10029AF925A21F0CF708945C7A0

Function 00B7990E Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 00B798D6
SetBkMode.GDI32(?,00000001), ref: 00B798E9
GetStockObject.GDI32(00000005), ref: 00B798F1
GetWindowLongW.USER32(?,000000EB), ref: 00B79952

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ColorLongModeObjectStockTextWindow
String ID:
API String ID: 2960364272-0
Opcode ID: 6be271b19b862f6de262eac5863584d4f168ced4788585535d91b1a01078149c
Instruction ID: 75f426b9f063dabeb1d87c5c2020b74e73eab64a4ab40a81b26fbc975cb9e242
Opcode Fuzzy Hash: 6be271b19b862f6de262eac5863584d4f168ced4788585535d91b1a01078149c
Instruction Fuzzy Hash: 2A118C322462109FD7118F20EC94FFA7FA5DF6B365B08419DFA468B2A2DB314891C751

Function 00B6600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
GetStockObject.GDI32(00000011), ref: 00B66060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 71a181c6d31c548e56afd592932fd50b540c94512300edeb168d6f2a184645c9
Instruction ID: cf2e1819eeecd88704105b277c745d4eb202ba50d33c3471e69064121d08d563
Opcode Fuzzy Hash: 71a181c6d31c548e56afd592932fd50b540c94512300edeb168d6f2a184645c9
Instruction Fuzzy Hash: 5B116D72501508BFEF165FA49C84EEABFADFF093A4F040265FA1553110DB369CA0DBA0

Function 00B83B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B83B56

Part of subcall function 00B83AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00B83AD2
Part of subcall function 00B83AA3: ___AdjustPointer.LIBCMT ref: 00B83AED

_UnwindNestedFrames.LIBCMT ref: 00B83B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00B83B7C
CallCatchBlock.LIBVCRUNTIME ref: 00B83BA4

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 28d4f055bf347d8418a261e86557f490ff8caff64c1e664f5fab9bc221c58108
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: AB012972100149BBDF126E95CC42EEB7FE9EF48B54F044094FE4856131D732E961DBA0

Function 00B93073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B613C6,00000000,00000000,?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue), ref: 00B930A5
GetLastError.KERNEL32(?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue,00C02290,FlsSetValue,00000000,00000364,?,00B92E46), ref: 00B930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue,00C02290,FlsSetValue,00000000), ref: 00B930BF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 226ceee353212825a90963020ce4b25b2bf8922c8c95c33d08c849b00180649b
Instruction ID: 092c838fbbe09517e1aa4e2ed5c3d994e2f2156bb86c7487a00a97e8673457f0
Opcode Fuzzy Hash: 226ceee353212825a90963020ce4b25b2bf8922c8c95c33d08c849b00180649b
Instruction Fuzzy Hash: B501D432301226ABCF314A789C84B6B7FD8EF05FA1B250670F915E3140CB21D945C6E0

Function 00BC7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00BC747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BC7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BC74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BC74CA

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9453c453874a4b7d1f66b3221157bc242fcc335c1c78627fec2715a5baa17f86
Instruction ID: d28d37e36325cca6f2b1406bcea936a10f77db2eee3d62bd5861fe39db8070e7
Opcode Fuzzy Hash: 9453c453874a4b7d1f66b3221157bc242fcc335c1c78627fec2715a5baa17f86
Instruction Fuzzy Hash: B711A1B12453149BE7208F14ED49FA2BFFCEB00B00F1085ADA626D7251DB70E944DF90

Function 00BCB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB126

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 58dc9af120a001922c7d8dece8dc97978ce0d55b9a117481e3f49288759254ad
Instruction ID: 202f7b70c55e9eb5cdd6b0780652616dfb2da5204232c71c5edc9af7096f9c3d
Opcode Fuzzy Hash: 58dc9af120a001922c7d8dece8dc97978ce0d55b9a117481e3f49288759254ad
Instruction Fuzzy Hash: 48111831C1151CD7CF009FA4E99AFEEBBB8FF09711F114089D951B3181CB3056508B52

Function 00BC2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BC2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC2DD6
GetCurrentThreadId.KERNEL32 ref: 00BC2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BC2DE4

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d75dd678d91386612f604db688dd4da2587f233dd614aba4b007168308b1088d
Instruction ID: b46d639db9bdb30ff03508325bf41004801d04b19ea168ce224f033ef3397712
Opcode Fuzzy Hash: d75dd678d91386612f604db688dd4da2587f233dd614aba4b007168308b1088d
Instruction Fuzzy Hash: 00E092711052287BD7201B729D0DFFB3EACEF53BA1F100069F506D30809EA0C980C6B0

Function 00BF8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796A2
Part of subcall function 00B79639: BeginPath.GDI32(?), ref: 00B796B9
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BF8887
LineTo.GDI32(?,?,?), ref: 00BF8894
EndPath.GDI32(?), ref: 00BF88A4
StrokePath.GDI32(?), ref: 00BF88B2

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6ac02bf02c1cd76765752751979273671fccf8871d00a694c12d021ed3f0a334
Instruction ID: b5a19d7b014a8bd265c5efd4bfc6112729222909e9bbec36a0839f1bc3b5b43e
Opcode Fuzzy Hash: 6ac02bf02c1cd76765752751979273671fccf8871d00a694c12d021ed3f0a334
Instruction Fuzzy Hash: 24F03A36041259BADB125FA4AD09FEE3E59AF06310F048141FA11670E2CB755561CBA5

Function 00B798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B798CC
SetTextColor.GDI32(?,?), ref: 00B798D6
SetBkMode.GDI32(?,00000001), ref: 00B798E9
GetStockObject.GDI32(00000005), ref: 00B798F1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 07a2f1f81cb02c50a78ce0292fed580d73a7366e16d4a9be421056ff0bf402fb
Instruction ID: 397bca79d9d55b38aeb446828ac028df905800b86157697f4d9ade65da4f4f6c
Opcode Fuzzy Hash: 07a2f1f81cb02c50a78ce0292fed580d73a7366e16d4a9be421056ff0bf402fb
Instruction Fuzzy Hash: 12E06531244244ABEB215F74AD09BF83F50EB51336F148259F6F95A1E1CB714790DB10

Function 00BC162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00BC1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00BC11D9), ref: 00BC163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BC11D9), ref: 00BC1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00BC11D9), ref: 00BC164F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 995914fe9d5997ee557650e68099fbb02cc69740f7176d33f87bfd19b7e263b1
Instruction ID: d41d7299af9e0297e9e16c929adc7090c8697176364b604a0a604368be93a95b
Opcode Fuzzy Hash: 995914fe9d5997ee557650e68099fbb02cc69740f7176d33f87bfd19b7e263b1
Instruction Fuzzy Hash: 4FE04632602215ABD7201BB4AE0DFA63FA8EF45792F148858F245DB080EE348485CB68

Function 00BBD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BBD858
GetDC.USER32(00000000), ref: 00BBD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBD882
ReleaseDC.USER32(?), ref: 00BBD8A3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c4ba6e95fddb2572aedc1a979ac1e66024e24a85a74c9e73d3354a8459ffd3fb
Instruction ID: 4fdb7d93eeb330ee62f8c24a7bcf288ddcc667466670ea810dad60f9820443af
Opcode Fuzzy Hash: c4ba6e95fddb2572aedc1a979ac1e66024e24a85a74c9e73d3354a8459ffd3fb
Instruction Fuzzy Hash: 6FE0E5B0804208EFCB419FA09A48A7DBFF1AB08311F109449E84AE7350CB784995EF40

Function 00BBD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BBD86C
GetDC.USER32(00000000), ref: 00BBD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBD882
ReleaseDC.USER32(?), ref: 00BBD8A3

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 393f537c9ff17693ee54c8a1f7bd1416c674d24682d073ac03cc399bef790f3f
Instruction ID: 7f5d248e336cc2e8e751f070c45dd191f060c8d8ef76343e2e91123b2e10e548
Opcode Fuzzy Hash: 393f537c9ff17693ee54c8a1f7bd1416c674d24682d073ac03cc399bef790f3f
Instruction Fuzzy Hash: FDE012B0804208EFCB40AFA0DA08A7DBFF1BB08310F109448E84AE7350CF385996EF40

Function 00BD4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00BD4ED4

Strings

LPT, xrefs: 00BD4DFB
*, xrefs: 00BD4E10

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c688e29ca542ba71f3242cc447709910d31dd1f272a73d5efa983704d46fe290
Instruction ID: 0d75ff6f0c613a30bf390f612582a18fcea57d63d14ab2b1917975ac62ebb14c
Opcode Fuzzy Hash: c688e29ca542ba71f3242cc447709910d31dd1f272a73d5efa983704d46fe290
Instruction Fuzzy Hash: 39913D75A002449FCB14DF58C494EAABBF5EF44308F1980DAE80A9F362E775ED85CB91

Function 00B8E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B8E30D

Strings

pow, xrefs: 00B8E2E5, 00B8E302

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7e1e9291ed64bf2e1ce2107c1c4add28042d6be81da241a4877d9a012c7d9ef3
Instruction ID: cef3df1ccf47fcaa2cdae1d0210e4777749c11f7a2d0a73bd7365cc36d9929d2
Opcode Fuzzy Hash: 7e1e9291ed64bf2e1ce2107c1c4add28042d6be81da241a4877d9a012c7d9ef3
Instruction Fuzzy Hash: F0514AA1A6C60296CF167B18C9417BD3BE8EF40740F3449F8E4A5422B9DF34CC91DB4A

Function 00B7E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B7E1B1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e9067d61f3d12bea72a4a0367f778e5ea24dc12128b8dc3114ce3e86d695a253
Instruction ID: db2d04e5a78e158b7daee6816cb15fbcb27aa9eb71eb7388feb66c7b33e38512
Opcode Fuzzy Hash: e9067d61f3d12bea72a4a0367f778e5ea24dc12128b8dc3114ce3e86d695a253
Instruction Fuzzy Hash: 40510035504246EFDB15DF68C4816FA7BE8EF19310F2480D9E8B1AB2A1DB74DD42CBA0

Function 00B7F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B7F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B7F2BB

Strings

@, xrefs: 00B7F2AF

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c9e9e902ab5f4783233ea7738ab2a53b626e889a86a3f21414606fc7ad5d64ef
Instruction ID: 05a200053483bc5b51e425af46cabc34e43b2e80af18f0d322edc2aa44f65c2b
Opcode Fuzzy Hash: c9e9e902ab5f4783233ea7738ab2a53b626e889a86a3f21414606fc7ad5d64ef
Instruction Fuzzy Hash: AC5155714187459BD320AF50D886BAFBBF8FB84304F81888DF2D9411A5EB758529CB66

Function 00BE5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00BE57E0
_wcslen.LIBCMT ref: 00BE57EC

Strings

CALLARGARRAY, xrefs: 00BE57E6, 00BE57EB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ee452b6849baa4fe34a561b5dc042c3023377cde994d9215021a133f7beb8b34
Instruction ID: d5d9f4b7862b9f13f8ad491b9047d6d327ec9a33ab6c04df86fc86ba557325c8
Opcode Fuzzy Hash: ee452b6849baa4fe34a561b5dc042c3023377cde994d9215021a133f7beb8b34
Instruction Fuzzy Hash: F041B231E00109DFCB24DFA9C8819BEBBF9FF59318F1441A9E515A7251EB349D81CB90

Function 00BDD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BDD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BDD13A

Strings

|, xrefs: 00BDD10B

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a1809a2930ed09f66dd920ac6aa5fd8beb634fab4db4cd3887e870a560b8c27f
Instruction ID: 8e3851e289471ca7bfba4ab6de5d53430d14defa0f9147fa3088c5fda3241e9d
Opcode Fuzzy Hash: a1809a2930ed09f66dd920ac6aa5fd8beb634fab4db4cd3887e870a560b8c27f
Instruction Fuzzy Hash: 99311A71D00209ABCF15EFA4CC85AEEBFF9FF04300F000199F915A6261E735AA46DB90

Function 00BF356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BF3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BF365C

Strings

static, xrefs: 00BF35BC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 384d38a52507e055c220fb6c91325ca350c68f25a4fbdd595fb351d5ad129b33
Instruction ID: 9e6aa7a70188d289f28eaa15894817d7cc6a4454b2791da5eb9a4c693acb2e15
Opcode Fuzzy Hash: 384d38a52507e055c220fb6c91325ca350c68f25a4fbdd595fb351d5ad129b33
Instruction Fuzzy Hash: F0318D71110208AEDB109F68DC80EBB77E9FF98B24F008659FAA5D7290DA30ED95D760

Function 00BF4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00BF461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF4634

Strings

', xrefs: 00BF458E

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4a5d30b3083b35ebb5624011e3c8b17dd14e958dbc25f9f91f70de1bfac47a99
Instruction ID: f81806e267f1acbf5d932555ffbc80353ac4a561680f7389bec3d976c968f827
Opcode Fuzzy Hash: 4a5d30b3083b35ebb5624011e3c8b17dd14e958dbc25f9f91f70de1bfac47a99
Instruction Fuzzy Hash: 1131F574A01209AFDF14DFA9C990BEABBF5FB59300F1440AAEA05AB351D770A945CF90

Function 00BF31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BF327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF3287

Strings

Combobox, xrefs: 00BF3249

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 91db9745cbcd6e36b76e18038df17bd4a7026103a9fc58c3c959c891b5ff8cb2
Instruction ID: 1b5bc8cf1faaa9438df18e3dcd65959829ffb4d90d416a79ae7336dba3e05076
Opcode Fuzzy Hash: 91db9745cbcd6e36b76e18038df17bd4a7026103a9fc58c3c959c891b5ff8cb2
Instruction Fuzzy Hash: B311B27130020C7FFF219E54DC80EBB3BEAEB98764F104265FA1897290D631DD559760

Function 00BF3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
Part of subcall function 00B6600E: GetStockObject.GDI32(00000011), ref: 00B66060
Part of subcall function 00B6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

GetWindowRect.USER32(00000000,?), ref: 00BF377A
GetSysColor.USER32(00000012), ref: 00BF3794

Strings

static, xrefs: 00BF3757

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: bd34ef6514d44be0a301e09b38554096361e9b0bafceb91c7b5e890b96ad3ccd
Instruction ID: e515e2949e018783128516f4419cd790ee59ba8d8072be2c04027862ed9f99ca
Opcode Fuzzy Hash: bd34ef6514d44be0a301e09b38554096361e9b0bafceb91c7b5e890b96ad3ccd
Instruction Fuzzy Hash: 601106B2610209AFDB00EFA8C846EBA7BE8EB08714F004954FA55E3250DB35E955DB50

Function 00BDCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BDCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BDCDA6

Strings

<local>, xrefs: 00BDCD66

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8b6200835cd926703463c3a8eae30a2a7c0745b09cef9fc3ddddb39763b0f562
Instruction ID: 12d047f736f68bf2506bbb1d7eb98331c7696e9f380adf1cadbba8db4efd6f71
Opcode Fuzzy Hash: 8b6200835cd926703463c3a8eae30a2a7c0745b09cef9fc3ddddb39763b0f562
Instruction Fuzzy Hash: 0611A3712056367AD7284A668C85EF7FEAAEF127A4F104277B11A83290E6609840D6F0

Function 00BF3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00BF34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BF34BA

Strings

edit, xrefs: 00BF348F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f18174672af4df32cc201ebb93a6ef144630e030ed1ec4ea7fe3a9d2b99cd8da
Instruction ID: 9bf704fb37aa702a2897cb02ede15fc7e2d396f3ce390f0d4c53d8a65e6f6c74
Opcode Fuzzy Hash: f18174672af4df32cc201ebb93a6ef144630e030ed1ec4ea7fe3a9d2b99cd8da
Instruction Fuzzy Hash: 5311BC7110020CAFEB128E64DC80ABB3BEAEB04B74F504364FA60932E0C771DD999B60

Function 00BC6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

CharUpperBuffW.USER32(?,?,?), ref: 00BC6CB6
_wcslen.LIBCMT ref: 00BC6CC2

Strings

STOP, xrefs: 00BC6CBC, 00BC6CC1

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b6c94653cb922d4c22f3190372f41438dfd58d7ab995298816d7e108d28a4d9b
Instruction ID: 440ccae411bc6831978dde2c9ee29e3f70e4ff9bbf23b64c08662de7313e8e62
Opcode Fuzzy Hash: b6c94653cb922d4c22f3190372f41438dfd58d7ab995298816d7e108d28a4d9b
Instruction Fuzzy Hash: 5801C032A1052A8BCB20AFFDDC80EBF77E9EB61720B1005BCE86297194EB35D940C650

Function 00BC1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BC1D4C

Strings

ListBox, xrefs: 00BC1D16
ComboBox, xrefs: 00BC1CEB

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: be1f406c1ed3832dbc5f829a40d0cd14b8f39019a9fbc6fd823a636775da47af
Instruction ID: 2f51347b4b1936385fac12de1e773d6871b811221fb8c0407bf2f417c44ba22c
Opcode Fuzzy Hash: be1f406c1ed3832dbc5f829a40d0cd14b8f39019a9fbc6fd823a636775da47af
Instruction Fuzzy Hash: EF01D871601218ABCB04EBA4CD51EFF77E8EB57350B140DADF823672C2EA349908C660

Function 00BC1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BC1C46

Strings

ListBox, xrefs: 00BC1C10
ComboBox, xrefs: 00BC1BE5

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c1fb60aee2098d8ffecac0dbba04d1874dd494d1051296499d4a20039f19a992
Instruction ID: 12b6f48af06cec1687725d1c05c500c598c7bd211ffb21393db5aa4f7d7035c5
Opcode Fuzzy Hash: c1fb60aee2098d8ffecac0dbba04d1874dd494d1051296499d4a20039f19a992
Instruction Fuzzy Hash: 0B01A77578110867CB04EB94CA51FFF77ECDB12340F14049DB40677282EA349E18E6B1

Function 00BC1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BC1CC8

Strings

ListBox, xrefs: 00BC1C94
ComboBox, xrefs: 00BC1C69

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1bac771f184acf773829f4e0bebd191a1a6cd7c0407f25d4ca9d90cb400545f3
Instruction ID: fb8ed551bb2dd66ca77e6f851cc4fc5ea068b5ad95f7128020109fda7cfb8ce2
Opcode Fuzzy Hash: 1bac771f184acf773829f4e0bebd191a1a6cd7c0407f25d4ca9d90cb400545f3
Instruction Fuzzy Hash: EB018F7168021867CB04EBA4CA51FFF77ECDB12380F540499B802B7282EA349E18D671

Function 00BC1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00BC1DD3

Strings

ListBox, xrefs: 00BC1DA0
ComboBox, xrefs: 00BC1D75

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ab76c764f2af69d57401cdd12dd52cd807a7ca6cfd172498d0d2025b68402473
Instruction ID: de1b0562150d1d98f03f9cd5dc258b149098e8acc577c653bdcb614202f9139e
Opcode Fuzzy Hash: ab76c764f2af69d57401cdd12dd52cd807a7ca6cfd172498d0d2025b68402473
Instruction Fuzzy Hash: 36F0A471B5121867DB04F7A8DD92FFF77ECEB12750F440DA9B822B32C2DA7459088660

Function 00BE747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BE7493
_wcslen.LIBCMT ref: 00BE74B9

Strings

3, 3, 16, 1, xrefs: 00BE7483

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: da760fe68ea81731eb82ffbda04c4acb24a22dc91b2956f7bd2745e0690aa379
Instruction ID: 4ecba43e7b40aa2a556c173ecdedc5952c1f236109186aeee7978457c84247d3
Opcode Fuzzy Hash: da760fe68ea81731eb82ffbda04c4acb24a22dc91b2956f7bd2745e0690aa379
Instruction Fuzzy Hash: 1EE02B02245261149231227BECC197F56D9CFC975071018ABF985C23B6EF94CD91D3A0

Function 00BC0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BC0B23

Strings

AutoIt, xrefs: 00BC0B17
Error allocating memory., xrefs: 00BC0B1C

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: c57f20a6d909fc22b34473cc5dd60cf88bc6b7553d0853d43bfb6b6519dc748b
Instruction ID: d8e88e696489b7d943f4b96163b3f2ce9675cc8689080b899aa0c352d2ab43ae
Opcode Fuzzy Hash: c57f20a6d909fc22b34473cc5dd60cf88bc6b7553d0853d43bfb6b6519dc748b
Instruction Fuzzy Hash: 45E0483228931D6AD21436557D03FA97FC4CF05B51F1044AAFB58965D38FE168D087ED

Function 00B80D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B7F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B80D71,?,?,?,00B6100A), ref: 00B7F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B6100A), ref: 00B80D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B6100A), ref: 00B80D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B80D7F

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a4b20efc0cc0ec14c3d271ea3199d81aeda7b4c3e581db28635f863d9d476049
Instruction ID: be2abcea14b7e2849324af7e5059b9445af116dccd0ec66beff47760a54adc95
Opcode Fuzzy Hash: a4b20efc0cc0ec14c3d271ea3199d81aeda7b4c3e581db28635f863d9d476049
Instruction Fuzzy Hash: F2E06D702103028FD3A0BFB9E5043667BE4EF00780F0489BDE886C7661DBB4E488CB91

Function 00BD3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00BD302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00BD3044

Strings

aut, xrefs: 00BD3038

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 26b84ea9826e6f6d3955c82965cf4925c987e02f5aba6e164c6be25e7b063cef
Instruction ID: d71c12389162d9b464c834a3a3d117d09acf34809e73d49eee5ddf3694efc890
Opcode Fuzzy Hash: 26b84ea9826e6f6d3955c82965cf4925c987e02f5aba6e164c6be25e7b063cef
Instruction Fuzzy Hash: 50D05E72500328A7DA20A7A4AD0EFDB3E6CDB04750F0002A1B655E3092DEB09984CAE0

Function 00BF2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BF233F

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Strings

Shell_TrayWnd, xrefs: 00BF2325

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3904485b0501d268d7756f141df1c10b4dd100c935271b21150ceddaf3c3e876
Instruction ID: e985e1bcd37e2b6ae63eba7a7729a75c878b0c59e4073eee3eaae537e3261393
Opcode Fuzzy Hash: 3904485b0501d268d7756f141df1c10b4dd100c935271b21150ceddaf3c3e876
Instruction Fuzzy Hash: 8ED01276394314B7E664B770ED0FFD67E54AB10B10F0049267755EB1D0CDF0A881CA54

Function 00BF2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF236C
PostMessageW.USER32(00000000), ref: 00BF2373

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Strings

Shell_TrayWnd, xrefs: 00BF2365

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a85a53ade4bd4abafd0825c10d5609479798fe214c055e985b4149e500448504
Instruction ID: fb97ad845171eb79dfad210004aed63f3588a220f35c25de6d56e7b9e29929d1
Opcode Fuzzy Hash: a85a53ade4bd4abafd0825c10d5609479798fe214c055e985b4149e500448504
Instruction Fuzzy Hash: 17D0C972385314BAE664A770AD0FFD66A54AB15B10F4049267655EB1D0C9F0A881CA54

Function 00B9BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B9BE93
GetLastError.KERNEL32 ref: 00B9BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9BEFC

Memory Dump Source

Source File: 00000000.00000002.2177927200.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2177889888.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178036773.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178128680.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178177133.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c71a7f3f5dbd128c6f1f225bb062ec7f7610e9942676fc625cd099182a1e1430
Instruction ID: c72df82b3246c9cd85e89eb56b331e5700b7a2513cf360ae79e47c44364e2594
Opcode Fuzzy Hash: c71a7f3f5dbd128c6f1f225bb062ec7f7610e9942676fc625cd099182a1e1430
Instruction Fuzzy Hash: 5941B13560060AABCF219F64EE84FBA7BE9EF41310F1441F9F959971A1DB308D01CB50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2179962503.000001B2596C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2179962503.000001B2596C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309800858.000001B25A6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346339120.000001B252BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2311788583.000001B2599E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2170049219.000001B2599E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342182660.000001B2599E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2311788583.000001B2599E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2170049219.000001B2599E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342182660.000001B2599E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2179962503.000001B2596C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2179962503.000001B2596C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309800858.000001B25A6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2343802395.000001B254DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335931808.000001B254DF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3345245284.0000026A77F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2343802395.000001B254DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335931808.000001B254DF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3345245284.0000026A77F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2343802395.000001B254DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335931808.000001B254DF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3345245284.0000026A77F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2379651621.000001B252AF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2309347448.000001B25AA06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376953121.000001B253B97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331905457.000001B25AA28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376953121.000001B253B97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2309347448.000001B25AA06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331905457.000001B25AA28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327940850.000001B25AA0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2181204840.000001B251DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332811991.000001B25992C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: dualstack.reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49876 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_92fa9b10-8efb-4405-913b-cd3de413bd9c.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_92fa9b10-8efb-4405-913b-cd3de413bd9c.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre