Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574545
MD5:	5860a1bb4e76af912ba6a63ac572f7f7
SHA1:	1f61042d2c0c6b3756ea0937c419608c8396096a
SHA256:	e1ce7d30cae8f70b196509496438bddb9410ffc4c29c9329e8b78e50e773d745
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 796 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5860A1BB4E76AF912BA6A63AC572F7F7)

taskkill.exe (PID: 7256 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7556 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7620 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7688 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7744 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7808 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7840 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7856 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8124 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ec77ec-d1a5-411a-81c5-cb2ea8506a6f} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1eb9736d310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7836 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20230927232528 -prefsHandle 4472 -prefMapHandle 4468 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e67dc527-9b5e-4fa0-8f66-4b4329fa3a1d} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1eba9857d10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7640 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10a99be9-5a4d-4909-a214-281fca8c768f} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1ebb345a910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 796	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 2_2_0038EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

2_2_0038EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0038ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_0038ED6A

Source: C:\Users\user\Desktop\file.exe

2_2_0038EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0037AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

2_2_0037AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

2_2_003A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4ef7a40d-3
Source: file.exe, 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_811ba924-9
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f17d29e7-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e660941a-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 21_2_0000025D594F2377 NtQuerySystemInformation,		21_2_0000025D594F2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 21_2_0000025D59515272 NtQuerySystemInformation,		21_2_0000025D59515272

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0037D5EB: CreateFileW,DeviceIoControl,CloseHandle,

2_2_0037D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00371201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

2_2_00371201

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0037E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_0037E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0031BF40	2_2_0031BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00318060	2_2_00318060
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00382046	2_2_00382046
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00378298	2_2_00378298
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0034E4FF	2_2_0034E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0034676B	2_2_0034676B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0035E781	2_2_0035E781
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_003A4873	2_2_003A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0033CAA0	2_2_0033CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0031CAF0	2_2_0031CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0032CC39	2_2_0032CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00346DD9	2_2_00346DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0032B119	2_2_0032B119
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_003191C0	2_2_003191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00331394	2_2_00331394
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0033781B	2_2_0033781B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00317920	2_2_00317920
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0032997D	2_2_0032997D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00337A4A	2_2_00337A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00337CA7	2_2_00337CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0039BE44	2_2_0039BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00349EEE	2_2_00349EEE
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 21_2_0000025D594F2377	21_2_0000025D594F2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 21_2_0000025D59515272	21_2_0000025D59515272
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 21_2_0000025D595152B2	21_2_0000025D595152B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 21_2_0000025D5951599C	21_2_0000025D5951599C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00319CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0032F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00330A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/34@65/12

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003837B5 GetLastError,FormatMessageW,

2_2_003837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_003710BF AdjustTokenPrivileges,CloseHandle,		2_2_003710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_003716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_003716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_003851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0037D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

2_2_0037D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0038648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

2_2_0038648E

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

2_2_003142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ec77ec-d1a5-411a-81c5-cb2ea8506a6f} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1eb9736d310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20230927232528 -prefsHandle 4472 -prefMapHandle 4468 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e67dc527-9b5e-4fa0-8f66-4b4329fa3a1d} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1eba9857d10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10a99be9-5a4d-4909-a214-281fca8c768f} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1ebb345a910 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ec77ec-d1a5-411a-81c5-cb2ea8506a6f} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1eb9736d310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20230927232528 -prefsHandle 4472 -prefMapHandle 4468 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e67dc527-9b5e-4fa0-8f66-4b4329fa3a1d} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1eba9857d10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10a99be9-5a4d-4909-a214-281fca8c768f} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1ebb345a910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 00000012.00000003.2390984884.000001EBB10EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2385437640.000001EBB10EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 00000012.00000003.2385859564.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2404938395.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 00000012.00000003.2401285533.000001EBAAA7B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000012.00000003.2426444149.000001EBA6EC2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2390416627.000001EBB37F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2405366807.000001EBB37F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB3389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000012.00000003.2423905201.000001EBA6EB1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2390416627.000001EBB37F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2405366807.000001EBB37F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 00000012.00000003.2426854378.000001EBA6EB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8InputHost.pdb source: firefox.exe, 00000012.00000003.2420180369.000001EBA9931000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 00000012.00000003.2385859564.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2404938395.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2398218724.000001EBAFB7D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 00000012.00000003.2419822950.000001EBA99DC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbP4t source: firefox.exe, 00000012.00000003.2390984884.000001EBB10EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2385437640.000001EBB10EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000012.00000003.2403044291.000001EBB0B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB3389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 00000012.00000003.2406691563.000001EBB3335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2411914027.000001EBB334F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8audioses.pdb source: firefox.exe, 00000012.00000003.2419740844.000001EBA9B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2419663076.000001EBA9B87000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47mrm.pdb source: firefox.exe, 00000012.00000003.2419822950.000001EBA99AC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netutils.pdb source: firefox.exe, 00000012.00000003.2419740844.000001EBA9B82000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdbHu source: firefox.exe, 00000012.00000003.2411544953.000001EBB3389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8softokn3.pdb source: firefox.exe, 00000012.00000003.2418867630.000001EBA9BE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2419663076.000001EBA9B87000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 00000012.00000003.2413388869.000001EBB279C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8rasadhlp.pdb source: firefox.exe, 00000012.00000003.2410241022.000001EBA9F86000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47Langs.pdb source: firefox.exe, 00000012.00000003.2419967706.000001EBA998B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2419822950.000001EBA99AC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8taskschd.pdb source: firefox.exe, 00000012.00000003.2409519162.000001EBAA05A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 00000012.00000003.2390984884.000001EBB10EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2385437640.000001EBB10EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 00000012.00000003.2390416627.000001EBB37F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2405366807.000001EBB37F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8twinapi.appcore.pdb source: firefox.exe, 00000012.00000003.2420180369.000001EBA9931000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000012.00000003.2423905201.000001EBA6EB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 00000012.00000003.2406691563.000001EBB3335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2411914027.000001EBB334F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8fwpuclnt.pdb source: firefox.exe, 00000012.00000003.2418409500.000001EBAA035000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2410241022.000001EBA9FE6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000012.00000003.2425426044.000001EBA6EC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 00000012.00000003.2385859564.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2404938395.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000012.00000003.2425426044.000001EBA6EC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 00000012.00000003.2403751681.000001EBB3499000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2405520728.000001EBB3499000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8OnDemandConnRouteHelper.pdb source: firefox.exe, 00000012.00000003.2410241022.000001EBA9F86000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 00000012.00000003.2385859564.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2404938395.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 00000012.00000003.2403044291.000001EBB0B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 00000012.00000003.2385859564.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2404938395.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB3389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8imagehlp.pdb source: firefox.exe, 00000012.00000003.2423045813.000001EBAA0A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2409519162.000001EBAA05A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2409519162.000001EBAA0A0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Globalization.pdb source: firefox.exe, 00000012.00000003.2419967706.000001EBA998B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 00000012.00000003.2406691563.000001EBB3335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2390780957.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2384509131.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2411914027.000001EBB334F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2412591982.000001EBB32EF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 00000012.00000003.2385859564.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2404938395.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ExplorerFrame.pdb source: firefox.exe, 00000012.00000003.2409519162.000001EBAA05A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2418409500.000001EBAA035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB3389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdbobject_data_delete_trigger source: firefox.exe, 00000012.00000003.2390984884.000001EBB10EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2385437640.000001EBB10EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.18.dr
Source:	Binary string: winmm.pdb source: firefox.exe, 00000012.00000003.2390416627.000001EBB37F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2405366807.000001EBB37F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdb source: firefox.exe, 00000012.00000003.2426854378.000001EBA6EB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB33A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB33A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB3389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8osclientcerts.pdb source: firefox.exe, 00000012.00000003.2411256744.000001EBA9F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2410241022.000001EBA9F57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 00000012.00000003.2385859564.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2404938395.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB33A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB33A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2403751681.000001EBB3499000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2405520728.000001EBB3499000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8DataExchange.pdb source: firefox.exe, 00000012.00000003.2419822950.000001EBA99AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2419822950.000001EBA99DC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.18.dr
Source:	Binary string: 8wintrust.pdb source: firefox.exe, 00000012.00000003.2420431301.000001EBA90AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: firefox.exe, 00000012.00000003.2403751681.000001EBB3499000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2405520728.000001EBB3499000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb G: source: firefox.exe, 00000012.00000003.2411544953.000001EBB33A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB33A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 00000012.00000003.2385859564.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2404938395.000001EBB10BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iertutil.pdb source: firefox.exe, 00000012.00000003.2419822950.000001EBA99DC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000012.00000003.2426444149.000001EBA6EC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 00000012.00000003.2421849602.000001EBAB337000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB3389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8linkinfo.pdb source: firefox.exe, 00000012.00000003.2409519162.000001EBAA05A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ColorAdapterClient.pdb source: firefox.exe, 00000012.00000003.2419967706.000001EBA998B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2420084471.000001EBA9964000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8powrprof.pdb source: firefox.exe, 00000012.00000003.2419663076.000001EBA9B87000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 00000012.00000003.2411544953.000001EBB3389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2406379859.000001EBB337F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 00000012.00000003.2420180369.000001EBA9931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2420084471.000001EBA995D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 00000012.00000003.2401285533.000001EBAAA7B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8MMDevAPI.pdb source: firefox.exe, 00000012.00000003.2419740844.000001EBA9B82000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_003142DE

Source: gmpopenh264.dll.tmp.18.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00330A76 push ecx; ret

2_2_00330A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0032F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_0032F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_003A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		2_2_003A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_2-95974

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 21_2_0000025D594F2377 rdtsc

21_2_0000025D594F2377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0037DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0037DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0034C2A2 FindFirstFileExW,	2_2_0034C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_003868EE FindFirstFileW,FindClose,	2_2_003868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0038698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0038698F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0037D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037D076
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0037D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00389642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00389642
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0038979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0038979D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00389B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00389B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00385C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00385C97

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_003142DE

Source: firefox.exe, 00000014.00000002.3419775653.00000197A8900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: firefox.exe, 00000015.00000002.3418814111.0000025D59580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: firefox.exe, 00000015.00000002.3418814111.0000025D59580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: firefox.exe, 00000014.00000002.3414236883.00000197A83CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3412701255.0000025D58D1A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3418814111.0000025D59580000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.3417664510.0000024676020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000014.00000002.3418764397.00000197A881A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: file.exe, 00000002.00000003.2260850379.000000000101A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.2264485346.0000000001025000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.2262836150.000000000101A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW+
Source: firefox.exe, 00000018.00000002.3412549473.0000024675BBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0=
Source: firefox.exe, 00000014.00000002.3419775653.00000197A8900000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3418814111.0000025D59580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 21_2_0000025D594F2377 rdtsc

21_2_0000025D594F2377

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0038EAA2 BlockInput,

2_2_0038EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00342622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00342622

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_003142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00334CE8 mov eax, dword ptr fs:[00000030h]

2_2_00334CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00370B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

2_2_00370B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00342622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00342622
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0033083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0033083F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_003309D5 SetUnhandledExceptionFilter,	2_2_003309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00330C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00330C21

Source: C:\Users\user\Desktop\file.exe

2_2_00371201

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00352BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00352BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0037B226 SendInput,keybd_event,

2_2_0037B226

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

2_2_003922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

2_2_00370B62

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00371663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_00371663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 00000012.00000003.2380304604.000001EBB0B01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00330698 cpuid

2_2_00330698

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0036D21C GetLocalTime,

2_2_0036D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0036D27A GetUserNameW,

2_2_0036D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0034B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_0034B952

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_003142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 796, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 796, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00391204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		2_2_00391204
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00391806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_00391806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	29%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
youtube-ui.l.google.com	142.250.181.14	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000018.00000002.3414367572.0000024675FC3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 00000012.00000003.2400587964.000001EBAB2B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000012.00000003.2330541464.000001EBA7BA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2391490539.000001EBB0540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2329602181.000001EBA7BA1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.18.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000018.00000002.3414367572.0000024675F8E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000012.00000003.2408158009.000001EBAB2BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2400587964.000001EBAB2B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 00000012.00000003.2280451010.000001EBA7C67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2274248698.000001EBAB2BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000012.00000003.2285348493.000001EBAAC24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408536659.000001EBAAF6C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 00000012.00000003.2386248821.000001EBB05F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2391419358.000001EBB05F3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000012.00000003.2246578660.000001EBA7352000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2245888012.000001EBA730F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2245702286.000001EBA7100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2246170689.000001EBA7331000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000012.00000003.2414040132.000001EBB046A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000012.00000003.2406691563.000001EBB3335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2412041482.000001EBB333B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000012.00000003.2283785712.000001EBAFC39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2245888012.000001EBA730F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2419967706.000001EBA998B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2301094679.000001EBA94F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2245702286.000001EBA7100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2297837770.000001EBA94F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2299021371.000001EBA94F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2356271527.000001EBA94F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2246170689.000001EBA7331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2344948664.000001EBA94F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2451422632.000001EBA8DE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 00000012.00000003.2399137967.000001EBAF975000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000012.00000003.2245888012.000001EBA730F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2245702286.000001EBA7100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2246170689.000001EBA7331000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 00000012.00000003.2282592972.000001EBA8A6A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000012.00000003.2401017455.000001EBAAFF4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000012.00000003.2415264149.000001EBAFC3A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000012.00000003.2408158009.000001EBAB2BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2400587964.000001EBAB2B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://ac	firefox.exe, 00000018.00000002.3417342948.0000024676010000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.18.dr	false	high
https://www.amazon.com/	firefox.exe, 00000012.00000003.2285140231.000001EBAB2D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2274248698.000001EBAB2BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000012.00000003.2403751681.000001EBB34CB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000012.00000003.2285140231.000001EBAB2D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2401285533.000001EBAAA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2417801209.000001EBAAA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3414249249.0000025D58F0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.3414367572.0000024675F03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000012.00000003.2327484956.000001EBA8670000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2330710972.000001EBA8671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2330051589.000001EBA8670000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2274248698.000001EBAB2BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000012.00000003.2390780957.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2384509131.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2412591982.000001EBB32EF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000018.00000002.3414367572.0000024675FC3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000012.00000003.2410241022.000001EBA9F69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2470077372.000001EBA9F69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000012.00000003.2330051589.000001EBA865D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2327484956.000001EBA865C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000012.00000003.2295571527.000001EBA8F64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2356320595.000001EBA8F64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2290160766.000001EBA8F68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2346338558.000001EBA8F64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2442295874.000001EBA8F66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000012.00000003.2384400897.000001EBB33C7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000012.00000003.2393937190.000001EBB04AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2414040132.000001EBB04AF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.18.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 00000012.00000003.2450895162.000001EBA902D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.googl	firefox.exe, 00000018.00000002.3412549473.0000024675BBA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000012.00000003.2405520728.000001EBB34BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2403751681.000001EBB34BD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000018.00000002.3414367572.0000024675F13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2274248698.000001EBAB2BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000015.00000002.3414249249.0000025D58F86000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000012.00000003.2506875851.000001EBAB37D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2284464082.000001EBAB37D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2399957727.000001EBAB37D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000012.00000003.2284464082.000001EBAB39A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2396459660.000001EBAFCF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2407340573.000001EBAFCF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2369656495.000001EBA8FEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2466901955.000001EBA78E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2334604936.000001EBA86B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2450208591.000001EBA29D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2419822950.000001EBA99AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2356320595.000001EBA8F64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2469304073.000001EBAFCF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2295571527.000001EBA8F6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2290160766.000001EBA8F68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2401764515.000001EBAAA69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2273756844.000001EBAB3D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2399919154.000001EBAB39A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2278332682.000001EBA99AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2400451443.000001EBAB2E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2295571527.000001EBA8F52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2284995658.000001EBAB2E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2419822950.000001EBA99DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2274248698.000001EBAB2E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 00000012.00000003.2401017455.000001EBAAFF4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://youtube.com/	firefox.exe, 00000012.00000003.2284995658.000001EBAB2E5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.18.dr	false	high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 00000012.00000003.2282592972.000001EBA8A6A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 00000012.00000003.2274248698.000001EBAB2BC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000012.00000003.2506875851.000001EBAB37D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2284464082.000001EBAB37D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2399957727.000001EBAB37D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000012.00000003.2280451010.000001EBA7C67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2285790165.000001EBA8772000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2471426660.000001EBA8772000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 00000012.00000003.2283785712.000001EBAFC39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 00000012.00000003.2450345546.000001EBA905F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000012.00000003.2399137967.000001EBAF975000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2415629510.000001EBAF98E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000012.00000003.2327484956.000001EBA8670000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2330051589.000001EBA865D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2327484956.000001EBA865C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2330710972.000001EBA8671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2330051589.000001EBA8670000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000012.00000003.2390780957.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2384509131.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2412591982.000001EBB32EF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000012.00000003.2421434346.000001EBAB4AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2416923831.000001EBAB4C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 00000012.00000003.2280451010.000001EBA7C67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2274248698.000001EBAB2BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000012.00000003.2420905698.000001EBAF9A2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 00000012.00000003.2246170689.000001EBA7331000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 00000012.00000003.2285348493.000001EBAAC24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2246170689.000001EBA7331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2344948664.000001EBA94F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2451422632.000001EBA8DE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
http://json-schema.org/draft-07/schema#-	firefox.exe, 00000012.00000003.2408158009.000001EBAB2BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2400587964.000001EBAB2B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000014.00000002.3418580822.00000197A8740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3417544846.0000025D59000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.3413941803.0000024675D70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.wykop.pl/	firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2274248698.000001EBAB2BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 00000012.00000003.2285140231.000001EBAB2D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr	firefox.exe, 00000012.00000003.2403751681.000001EBB34C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2274248698.000001EBAB2BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 00000012.00000003.2327484956.000001EBA8670000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2330710972.000001EBA8671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2330051589.000001EBA8670000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefox	firefox.exe, 00000012.00000003.2413574330.000001EBB2765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2413574330.000001EBB2778000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574545
Start date and time:	2024-12-13 12:07:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/34@65/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 96% Number of executed functions: 51 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.175.87.197, 44.228.225.150, 54.213.181.160, 35.85.93.176, 20.3.187.198, 172.217.17.46, 88.221.134.209, 88.221.134.155, 142.250.181.138, 20.190.177.84, 23.206.197.32, 13.107.246.63, 20.103.156.88, 150.171.28.10, 23.206.197.24
Excluded domains from analysis (whitelisted): ciscobinary.openh264.org, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, tse1.mm.bing.net, a17.rackcdn.com.mdc.edgesuite.net, aus5.mozilla.org, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, a19.dscg10.akamai.net, redirector.gvt1.com, login.live.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, safebrowsing.googleapis.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, detectportal.prod.mozaws.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7856 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
06:08:50	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	https://idw.soundestlink.com/ce/c/675b7a96903a5335b119c33f/675b7ae33d33226215120f66/675b7afd057112d43b49094d?signature=7e9e7eead1b3f32bbe3709a667795cd47f753f0f46ed5e056831680ea81aa102	Get hash	malicious	Unknown	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	loader.exe	Get hash	malicious	Unknown	Browse	151.101.0.223
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	151.101.194.137
	https://idw.soundestlink.com/ce/c/675b7a96903a5335b119c33f/675b7ae33d33226215120f66/675b7afd057112d43b49094d?signature=7e9e7eead1b3f32bbe3709a667795cd47f753f0f46ed5e056831680ea81aa102	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://opof.utackhepr.com/WE76L1u/	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://e.trustifi.com/#/fff2a6/34074b/38c75f/bf3fbd/0d1c47/12c665/f3cdcd/c1be48/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d08b7b/9066d9/86c9f0/b1ff53/224fc1/c5dff5/a64e02/f00a15/3cdbea/a78615/4ddb76/30d9f7/98e1a2/9412cb/8e2651/8d4e63/9d313b/2f0213/ae3252/642e4a/6f0b2e/306b49/fd8e03/84bfef/0da4e6/6224c1/902b5e/e0d84c/badeba/3e52c1/94282a/975221/7a2e92/514659/ae5bab/957b7b/eb9e61/6942c6/d917d9/44a5ae/e58297/02048a/55f177/dca75c/c46e68/ac781c/5b787b/abcd53/568132/1d514a/5290de/d0b524/7d0cb6/e4e8bf/2ff215/1ddb69/add914/7674bb/dc5d9b/8fc829/561052/f5a816/40ee64/a0bcf5/b0cc13/8e70a5/255ef2/b24b8d/81e09f/4c70dd/5bbaa4/7ff26c/f1999b/4a2515/4a3a04/0a188e	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	j87MOFviv4.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	DvGZE4FU02.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	j3z5kxxt52.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1de93b63-cfec-4b4e-8b83-37d15a7b833b.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.173694599954956
Encrypted:	false
SSDEEP:	192:uBMXMNM5MacbhbVbTbfbRbObtbyEl7nsrLJA6unSrDtTkdxSofq:uic6macNhnzFSJMrC1nSrDhkdxW
MD5:	EA048040128763780D4C10588690B197
SHA1:	3CCAED1273A7A753A43D18EFC57FD737DB09D47E
SHA-256:	B9FA3B02DA4CFB743459C2FF52E31749021C896A848216F39A4BC01BB7146D98
SHA-512:	4473210F3A1BD8ED09EB92611B24A18049C8B8F0AAE1E4206862260CB682ED478E54CF180254B9F4B0C92A2A14530599743AE00546B027ADDA2D1C53571890C1
Malicious:	false
Preview:	{"type":"uninstall","id":"1de93b63-cfec-4b4e-8b83-37d15a7b833b","creationDate":"2024-12-13T12:25:40.455Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1de93b63-cfec-4b4e-8b83-37d15a7b833b.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.173694599954956
Encrypted:	false
SSDEEP:	192:uBMXMNM5MacbhbVbTbfbRbObtbyEl7nsrLJA6unSrDtTkdxSofq:uic6macNhnzFSJMrC1nSrDhkdxW
MD5:	EA048040128763780D4C10588690B197
SHA1:	3CCAED1273A7A753A43D18EFC57FD737DB09D47E
SHA-256:	B9FA3B02DA4CFB743459C2FF52E31749021C896A848216F39A4BC01BB7146D98
SHA-512:	4473210F3A1BD8ED09EB92611B24A18049C8B8F0AAE1E4206862260CB682ED478E54CF180254B9F4B0C92A2A14530599743AE00546B027ADDA2D1C53571890C1
Malicious:	false
Preview:	{"type":"uninstall","id":"1de93b63-cfec-4b4e-8b83-37d15a7b833b","creationDate":"2024-12-13T12:25:40.455Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.932058804547374
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLkXca8P:gXiNFS+OcUGOdwiOdwBjkYLMD8P
MD5:	364F290A2FD53594CCB2018A5CD29458
SHA1:	7C800571813F66A3664AC195F34B1B0EADE2F9A1
SHA-256:	51EC63E8923B22F8BFE1E2CF9AC031B9A2D6CB91F9D2A476773834C9B1DEE6E8
SHA-512:	04DA391261B49FBB17E013ADEF872B5A25F64C009B54777C80D7A3ABCE626FD98265B5171173DEF70E5751E8C6B5B130DE8DBA921FDA4764DB4D29C47E07B112
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.932058804547374
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLkXca8P:gXiNFS+OcUGOdwiOdwBjkYLMD8P
MD5:	364F290A2FD53594CCB2018A5CD29458
SHA1:	7C800571813F66A3664AC195F34B1B0EADE2F9A1
SHA-256:	51EC63E8923B22F8BFE1E2CF9AC031B9A2D6CB91F9D2A476773834C9B1DEE6E8
SHA-512:	04DA391261B49FBB17E013ADEF872B5A25F64C009B54777C80D7A3ABCE626FD98265B5171173DEF70E5751E8C6B5B130DE8DBA921FDA4764DB4D29C47E07B112
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07325853670443018
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	96497B8A2D18B8319E97165229D2DD62
SHA1:	650DEBD5923CFFC8068979EC320F595113FA4714
SHA-256:	45DC13121DB59AF8AB492357C145C419F61324D3AFFB032CD608EEBA72F749EA
SHA-512:	F44BC5966EFF17AB67C15E5BD52823114D95FC0EA4A2EF7C6E2581C5B9039A05E53BF482D8730586CDBC021B8B4E630A72FE2D3818F5AF82617FE5D3E0BFE654
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035822017202226504
Encrypted:	false
SSDEEP:	3:GtlstF02efO8HalstF02efO8HdlT89//alEl:GtWt25fO8HaWt25fO8HdJ89XuM
MD5:	0A5F28120387DE7917DC613641B4759F
SHA1:	A565520AFF6767D117A6499F2AD511CE420200AE
SHA-256:	9AC73C202EB737FB29F85AC90148B02ED520EFC088751BAD0E91F5562D6EA1D5
SHA-512:	6F73F3696E3A9E8C10865CB73846C964090C6D59A9118A0E58B78A06C52517C43CB0C634E0B3D0E76807E600B5B218898CE120A0CA8C846B12DE4330C363FD27
Malicious:	false
Preview:	..-.....................#..^:...}......x'_.1.{g..-.....................#..^:...}......x'_.1.{g........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03493909307479715
Encrypted:	false
SSDEEP:	3:Ol1958lYofYSwJGg+lx5SrV//mwl8XW3R2:Kv58mIgRpuw93w
MD5:	814BF367E6547C8E0D1EE0FC63A6821A
SHA1:	0B89F030E7C87199D49C4715FB617BA4CF020479
SHA-256:	5C10981C16F67A819B7F428D23102D4702C1B019F939FBB50828DD48623B2F8E
SHA-512:	3335B70871D435DC03C65C02D556964A75D0B4EDDF447A13D06B4DCBB1609B78F4D513CB91EDC3F8691493DA1423E9AD831075EC7F5C6D77AE2CABC97C9C6390
Malicious:	false
Preview:	7....-..........}......xgR.....-........}......x^.#..:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.466356577722285
Encrypted:	false
SSDEEP:	192:MnTFTRRUYbBp6HLZNMGaX96qU4dizy+/3/78O5RYiNBw8dpSl:OKeuFNMoCiyCvdw60
MD5:	9F8CFF239BE29FD344CB4DCA67857597
SHA1:	3523576AC1BC01158D852038D04F9A5EA0134B6C
SHA-256:	B6087D4EC4127B9097E88A9E1D1D9E735108BED95FDE0E45FFE31F22DCF7E28A
SHA-512:	C3DF0972A7A083AB7B15CA1F1FD0E612821D8F0C6C236CC94FB1D81979B0A2DD6BFB39386CC3A6A41719054083E922AF24C07FB2919333C1DE4D6FC2B1BCD7B6
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734092710);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734092710);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734092710);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173409

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.466356577722285
Encrypted:	false
SSDEEP:	192:MnTFTRRUYbBp6HLZNMGaX96qU4dizy+/3/78O5RYiNBw8dpSl:OKeuFNMoCiyCvdw60
MD5:	9F8CFF239BE29FD344CB4DCA67857597
SHA1:	3523576AC1BC01158D852038D04F9A5EA0134B6C
SHA-256:	B6087D4EC4127B9097E88A9E1D1D9E735108BED95FDE0E45FFE31F22DCF7E28A
SHA-512:	C3DF0972A7A083AB7B15CA1F1FD0E612821D8F0C6C236CC94FB1D81979B0A2DD6BFB39386CC3A6A41719054083E922AF24C07FB2919333C1DE4D6FC2B1BCD7B6
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734092710);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734092710);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734092710);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173409

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.331111774899714
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSodZLXnIgN/pnxQwRlszT5sKLB3eHVvwKXTRamhujJmyOOxmOmaoRm:GUpOxdPnR6N3eNwCTR4JNKRh4
MD5:	FDBE299E210A8D407E6655E2CEBC3F8A
SHA1:	68A099E42262293373CF56FF54D4DF5CA63E013C
SHA-256:	D1C863891C7E58E574EE3E1B8564579C9F5FFA6AE168C4C9A63170EF09D1A206
SHA-512:	58C8F1D6FB352BA879DB1EEFBAE5FE04BA399664500EC3FBDC49F1C0857F8742BE997AA56A6175D6505E8EB85605F6DE296FA2D6F02BD931DBAB9BE3309AD3FA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ecfd6fed-967a-4c8f-a475-eb316b0f1068}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734092718613,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`680100...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....689292,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.331111774899714
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSodZLXnIgN/pnxQwRlszT5sKLB3eHVvwKXTRamhujJmyOOxmOmaoRm:GUpOxdPnR6N3eNwCTR4JNKRh4
MD5:	FDBE299E210A8D407E6655E2CEBC3F8A
SHA1:	68A099E42262293373CF56FF54D4DF5CA63E013C
SHA-256:	D1C863891C7E58E574EE3E1B8564579C9F5FFA6AE168C4C9A63170EF09D1A206
SHA-512:	58C8F1D6FB352BA879DB1EEFBAE5FE04BA399664500EC3FBDC49F1C0857F8742BE997AA56A6175D6505E8EB85605F6DE296FA2D6F02BD931DBAB9BE3309AD3FA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ecfd6fed-967a-4c8f-a475-eb316b0f1068}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734092718613,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`680100...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....689292,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.331111774899714
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSodZLXnIgN/pnxQwRlszT5sKLB3eHVvwKXTRamhujJmyOOxmOmaoRm:GUpOxdPnR6N3eNwCTR4JNKRh4
MD5:	FDBE299E210A8D407E6655E2CEBC3F8A
SHA1:	68A099E42262293373CF56FF54D4DF5CA63E013C
SHA-256:	D1C863891C7E58E574EE3E1B8564579C9F5FFA6AE168C4C9A63170EF09D1A206
SHA-512:	58C8F1D6FB352BA879DB1EEFBAE5FE04BA399664500EC3FBDC49F1C0857F8742BE997AA56A6175D6505E8EB85605F6DE296FA2D6F02BD931DBAB9BE3309AD3FA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ecfd6fed-967a-4c8f-a475-eb316b0f1068}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734092718613,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`680100...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....689292,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.008947389142589
Encrypted:	false
SSDEEP:	48:YrSAYvoHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycvoCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	24483BE6FE4978AB2B8D5B4A12E3AE0F
SHA1:	DFF1E68FA4BB69891E24D3BF20E421B6CE75B7B9
SHA-256:	AFFC0D73B629DA344BFD06EFDF313A0B87E6F3C1D981303CA498B5B5A1EFAEA6
SHA-512:	758D3556DFE7026624FEBB65C26BBD1D21671C0EC0F17E1919F4A0A6B8CD55F882A5A966FE94DBB107B2C7F44C7339B1407E2721BB91E3ED8FF58EBA473ACB1A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T12:24:55.605Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.008947389142589
Encrypted:	false
SSDEEP:	48:YrSAYvoHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycvoCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	24483BE6FE4978AB2B8D5B4A12E3AE0F
SHA1:	DFF1E68FA4BB69891E24D3BF20E421B6CE75B7B9
SHA-256:	AFFC0D73B629DA344BFD06EFDF313A0B87E6F3C1D981303CA498B5B5A1EFAEA6
SHA-512:	758D3556DFE7026624FEBB65C26BBD1D21671C0EC0F17E1919F4A0A6B8CD55F882A5A966FE94DBB107B2C7F44C7339B1407E2721BB91E3ED8FF58EBA473ACB1A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T12:24:55.605Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.707547100826651
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	972'288 bytes
MD5:	5860a1bb4e76af912ba6a63ac572f7f7
SHA1:	1f61042d2c0c6b3756ea0937c419608c8396096a
SHA256:	e1ce7d30cae8f70b196509496438bddb9410ffc4c29c9329e8b78e50e773d745
SHA512:	4963342cc0a3c491d0db3d6c241160377004c3bf37b12c50b9fc5624a8683f27e3f71b3517e7f163321d4c88ee108499756b37bd34308cbf3e2ae11676f5876f
SSDEEP:	24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aZ+Fh:2TvC/MTQYxsWR7aZ+F
TLSH:	6E259E0273D1C062FF9B92334F5AF6515BBC69260123A61F13A81D7ABD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675C0DCD [Fri Dec 13 10:34:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F46BC810AA3h
jmp 00007F46BC8103AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F46BC81058Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F46BC81055Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F46BC81314Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F46BC813198h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F46BC813181h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x16a90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x16a90	0x16c00	fde8d90d02f94e274fd5151df70112e9	False	0.7071278331043956	data	7.199132648988243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xdc12	data			1.0004615002307502
RT_GROUP_ICON	0xea510	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea588	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea59c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea5b0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea5c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea6a0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 12:08:44.415564060 CET	49746	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:08:44.415601969 CET	443	49746	35.190.72.216	192.168.2.6
Dec 13, 2024 12:08:44.416342974 CET	49746	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:08:44.421123028 CET	49746	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:08:44.421137094 CET	443	49746	35.190.72.216	192.168.2.6
Dec 13, 2024 12:08:45.044960976 CET	49749	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:45.045002937 CET	443	49749	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:45.045264006 CET	49750	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:45.045280933 CET	49751	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:45.045308113 CET	443	49750	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:45.046160936 CET	49749	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:45.046283960 CET	49750	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:45.047604084 CET	49749	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:45.047622919 CET	443	49749	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:45.048904896 CET	49750	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:45.048922062 CET	443	49750	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:45.165394068 CET	80	49751	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:45.166024923 CET	49751	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:45.166208982 CET	49751	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:45.285980940 CET	80	49751	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:45.640554905 CET	443	49746	35.190.72.216	192.168.2.6
Dec 13, 2024 12:08:45.647331953 CET	443	49746	35.190.72.216	192.168.2.6
Dec 13, 2024 12:08:45.650763035 CET	49746	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:08:45.764202118 CET	49746	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:08:45.764218092 CET	443	49746	35.190.72.216	192.168.2.6
Dec 13, 2024 12:08:45.764358044 CET	49746	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:08:45.764513016 CET	443	49746	35.190.72.216	192.168.2.6
Dec 13, 2024 12:08:45.765177965 CET	49746	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:08:46.255412102 CET	80	49751	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:46.404052019 CET	49751	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:46.720961094 CET	49757	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:46.721000910 CET	443	49757	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:46.722052097 CET	49758	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:46.722096920 CET	443	49758	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:46.723653078 CET	49757	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:46.725060940 CET	49758	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:46.725070000 CET	49757	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:46.725084066 CET	443	49757	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:46.726516962 CET	49758	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:46.726535082 CET	443	49758	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:46.748800993 CET	443	49750	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.749531031 CET	443	49750	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.750258923 CET	443	49749	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.751266003 CET	443	49749	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.751405954 CET	49750	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:46.751418114 CET	443	49750	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.751454115 CET	49749	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:46.751477957 CET	443	49749	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.756373882 CET	49750	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:46.756392002 CET	443	49750	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.756552935 CET	49750	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:46.756608009 CET	443	49750	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.757107019 CET	49750	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:46.761653900 CET	49749	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:46.761682987 CET	443	49749	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.761809111 CET	49749	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:46.761954069 CET	443	49749	142.250.181.78	192.168.2.6
Dec 13, 2024 12:08:46.764235020 CET	49749	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:08:46.866441011 CET	49759	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:46.866486073 CET	443	49759	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:46.866581917 CET	49759	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:46.874152899 CET	49759	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:46.874170065 CET	443	49759	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:47.406660080 CET	49761	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:47.407011032 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:47.407064915 CET	443	49762	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:47.407636881 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:47.407831907 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:47.407855988 CET	443	49762	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:47.436582088 CET	49751	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:47.526540041 CET	80	49761	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:47.539933920 CET	49761	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:47.539933920 CET	49761	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:47.557387114 CET	80	49751	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:47.659867048 CET	80	49761	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:47.752034903 CET	80	49751	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:47.814919949 CET	49751	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:47.951215029 CET	443	49758	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:47.951661110 CET	49758	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.952622890 CET	443	49757	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:47.956190109 CET	49758	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.956190109 CET	49758	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.956203938 CET	443	49758	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:47.956392050 CET	443	49758	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:47.956532001 CET	49767	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.956571102 CET	443	49767	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:47.956638098 CET	49757	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.957133055 CET	49758	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.960843086 CET	49757	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.960843086 CET	49757	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.960865021 CET	443	49757	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:47.960882902 CET	49767	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.961136103 CET	443	49757	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:47.962218046 CET	49767	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:47.962241888 CET	443	49767	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:47.962533951 CET	49757	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:48.100845098 CET	443	49759	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:48.101898909 CET	49759	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:48.144022942 CET	49759	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:48.144051075 CET	443	49759	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:48.144450903 CET	443	49759	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:48.223299980 CET	49759	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:48.223392010 CET	49759	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:48.223620892 CET	443	49759	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:48.224426031 CET	49759	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:48.499331951 CET	49761	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:48.504209995 CET	49751	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:48.619643927 CET	80	49761	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:48.619741917 CET	49761	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:48.624408007 CET	80	49751	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:48.626043081 CET	443	49762	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:48.626996994 CET	49751	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:48.627036095 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.630403996 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.630431890 CET	443	49762	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:48.630693913 CET	443	49762	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:48.632354975 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.632477045 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.632596970 CET	443	49762	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:48.632855892 CET	49769	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.632899046 CET	443	49769	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:48.633105993 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.633130074 CET	49762	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.633164883 CET	49769	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.633302927 CET	49769	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:48.633325100 CET	443	49769	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:48.971846104 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:49.092848063 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:49.092927933 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:49.093096972 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:49.179632902 CET	443	49767	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:49.180454016 CET	49767	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:49.185902119 CET	49767	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:49.185919046 CET	443	49767	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:49.186002016 CET	49767	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:49.186161041 CET	443	49767	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:49.193530083 CET	49767	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:49.212728024 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:49.853874922 CET	443	49769	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:49.853981018 CET	49769	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:49.857490063 CET	49769	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:49.857497931 CET	443	49769	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:49.857815027 CET	443	49769	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:49.860857010 CET	49769	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:49.860934019 CET	49769	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:49.861056089 CET	443	49769	34.160.144.191	192.168.2.6
Dec 13, 2024 12:08:49.861160040 CET	49769	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:08:50.194495916 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:50.256254911 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:50.762423992 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:50.833937883 CET	49779	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:50.833993912 CET	443	49779	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:50.835918903 CET	49779	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:50.837542057 CET	49779	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:50.837585926 CET	443	49779	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:50.882263899 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:50.883446932 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:50.883603096 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:51.003849983 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:52.029997110 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:52.031116962 CET	49781	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:08:52.031168938 CET	443	49781	34.107.243.93	192.168.2.6
Dec 13, 2024 12:08:52.031398058 CET	49782	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:52.031425953 CET	443	49782	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:52.031474113 CET	49781	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:08:52.032993078 CET	49781	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:08:52.033014059 CET	443	49781	34.107.243.93	192.168.2.6
Dec 13, 2024 12:08:52.033298016 CET	49783	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:52.033329010 CET	443	49783	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:52.033423901 CET	49782	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:52.033633947 CET	49782	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:52.033648968 CET	443	49782	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:52.034734964 CET	49783	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:52.036169052 CET	49783	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:52.036178112 CET	443	49783	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:52.057163954 CET	443	49779	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:52.057440996 CET	49779	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:52.060805082 CET	49779	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:52.060832024 CET	443	49779	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:52.060885906 CET	49779	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:52.060988903 CET	443	49779	34.117.188.166	192.168.2.6
Dec 13, 2024 12:08:52.061558962 CET	49779	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:08:52.066222906 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:52.070008993 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:52.186295986 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:52.190057039 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:52.203073025 CET	49784	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:08:52.203113079 CET	443	49784	34.149.100.209	192.168.2.6
Dec 13, 2024 12:08:52.203342915 CET	49784	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:08:52.204889059 CET	49784	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:08:52.204899073 CET	443	49784	34.149.100.209	192.168.2.6
Dec 13, 2024 12:08:52.382606030 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:52.386010885 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:52.425096035 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:52.440659046 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:53.244798899 CET	443	49782	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:53.244930029 CET	49782	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:53.248115063 CET	49782	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:53.248147011 CET	443	49782	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:53.248475075 CET	443	49782	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:53.250046968 CET	443	49781	34.107.243.93	192.168.2.6
Dec 13, 2024 12:08:53.250380039 CET	49781	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:08:53.251703024 CET	443	49783	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:53.252408981 CET	49782	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:53.252408981 CET	49782	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:53.252614021 CET	443	49782	35.244.181.201	192.168.2.6
Dec 13, 2024 12:08:53.252741098 CET	49782	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:08:53.252756119 CET	49783	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:53.256148100 CET	49781	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:08:53.256159067 CET	443	49781	34.107.243.93	192.168.2.6
Dec 13, 2024 12:08:53.256217957 CET	49781	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:08:53.256340981 CET	443	49781	34.107.243.93	192.168.2.6
Dec 13, 2024 12:08:53.256455898 CET	49781	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:08:53.257606983 CET	49783	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:53.257616997 CET	443	49783	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:53.257695913 CET	49783	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:53.257778883 CET	443	49783	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:53.257824898 CET	49783	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:53.431497097 CET	443	49784	34.149.100.209	192.168.2.6
Dec 13, 2024 12:08:53.431585073 CET	49784	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:08:53.436163902 CET	49784	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:08:53.436178923 CET	443	49784	34.149.100.209	192.168.2.6
Dec 13, 2024 12:08:53.436255932 CET	49784	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:08:53.436446905 CET	443	49784	34.149.100.209	192.168.2.6
Dec 13, 2024 12:08:53.436541080 CET	49784	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:08:56.386492014 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:56.387715101 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:56.389553070 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.389581919 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:56.389605045 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.389642000 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:56.389826059 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.389878988 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.390026093 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.390036106 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:56.390106916 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.390120029 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:56.506367922 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:56.508306980 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:56.530174017 CET	49797	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.530220032 CET	443	49797	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:56.530675888 CET	49797	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.532032013 CET	49797	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:56.532047987 CET	443	49797	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:56.701405048 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:56.702142000 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:56.755352020 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:56.755547047 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:57.092201948 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:57.394912958 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:57.405997038 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:57.514847040 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:57.600871086 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:57.622577906 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.622673988 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.624078989 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.624213934 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.642432928 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:57.644856930 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.644891977 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.645215034 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.647685051 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.647703886 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.647994995 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.650264978 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.650341034 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.650456905 CET	443	49796	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.650832891 CET	49796	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.650892019 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.650892019 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.651099920 CET	443	49795	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.651582956 CET	49795	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.676620960 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:57.746723890 CET	443	49797	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.751331091 CET	443	49797	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:57.752697945 CET	49797	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:57.796585083 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:57.991441965 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:58.038613081 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:58.926548004 CET	49797	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:58.926574945 CET	443	49797	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:58.926630974 CET	49797	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:58.926873922 CET	443	49797	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:58.930773973 CET	49797	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:59.025322914 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:59.034337997 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:59.145325899 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:59.154035091 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:59.241727114 CET	49811	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:59.241786003 CET	443	49811	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:59.242094994 CET	49811	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:59.244497061 CET	49811	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:08:59.244520903 CET	443	49811	34.120.208.123	192.168.2.6
Dec 13, 2024 12:08:59.340853930 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:59.348839998 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:08:59.395771027 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:08:59.395807028 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:00.461967945 CET	443	49811	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:00.462064028 CET	49811	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:00.785104036 CET	49811	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:00.785120964 CET	443	49811	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:00.785181999 CET	49811	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:00.785350084 CET	443	49811	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:00.790182114 CET	49811	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:01.096873045 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:01.110259056 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:01.216669083 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:01.230231047 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:01.412972927 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:01.425195932 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:01.428143024 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:01.434164047 CET	49818	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:01.434192896 CET	443	49818	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:01.434271097 CET	49818	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:01.435673952 CET	49818	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:01.435688019 CET	443	49818	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:01.479798079 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:01.548028946 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:01.743196011 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:01.802862883 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:02.648797035 CET	443	49818	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:02.648910046 CET	49818	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:02.653167963 CET	49818	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:02.653186083 CET	443	49818	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:02.653307915 CET	49818	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:02.653372049 CET	443	49818	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:02.654382944 CET	49818	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:04.121876001 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:04.241708994 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:04.450824976 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:04.510895967 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:05.580370903 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:05.700357914 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:05.896256924 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:05.936745882 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:12.204737902 CET	49840	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:12.204775095 CET	443	49840	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:12.205260038 CET	49840	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:12.205399036 CET	49840	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:12.205410957 CET	443	49840	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:12.234191895 CET	49841	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:12.234236956 CET	443	49841	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:12.234524012 CET	49842	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:09:12.234534979 CET	443	49842	35.190.72.216	192.168.2.6
Dec 13, 2024 12:09:12.246133089 CET	49841	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:12.246171951 CET	49842	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:09:12.246351957 CET	49841	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:12.246368885 CET	443	49841	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:12.247876883 CET	49842	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:09:12.247889042 CET	443	49842	35.190.72.216	192.168.2.6
Dec 13, 2024 12:09:12.362067938 CET	49849	443	192.168.2.6	151.101.65.91
Dec 13, 2024 12:09:12.362121105 CET	443	49849	151.101.65.91	192.168.2.6
Dec 13, 2024 12:09:12.362371922 CET	49849	443	192.168.2.6	151.101.65.91
Dec 13, 2024 12:09:12.362478018 CET	49849	443	192.168.2.6	151.101.65.91
Dec 13, 2024 12:09:12.362487078 CET	443	49849	151.101.65.91	192.168.2.6
Dec 13, 2024 12:09:12.378547907 CET	49850	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:09:12.378581047 CET	443	49850	35.201.103.21	192.168.2.6
Dec 13, 2024 12:09:12.378860950 CET	49850	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:09:12.380045891 CET	49850	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:09:12.380063057 CET	443	49850	35.201.103.21	192.168.2.6
Dec 13, 2024 12:09:13.426033020 CET	443	49840	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.426124096 CET	49840	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.429317951 CET	49840	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.429328918 CET	443	49840	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.429625988 CET	443	49840	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.432122946 CET	49840	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.432233095 CET	49840	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.432337999 CET	443	49840	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.432498932 CET	49840	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.436306953 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:13.458779097 CET	443	49842	35.190.72.216	192.168.2.6
Dec 13, 2024 12:09:13.458795071 CET	443	49842	35.190.72.216	192.168.2.6
Dec 13, 2024 12:09:13.459244013 CET	443	49841	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:13.459259987 CET	443	49841	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:13.459593058 CET	49842	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:09:13.459877014 CET	49841	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:13.468204021 CET	49841	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:13.468215942 CET	443	49841	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:13.468589067 CET	443	49841	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:13.470762014 CET	49842	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:09:13.470768929 CET	443	49842	35.190.72.216	192.168.2.6
Dec 13, 2024 12:09:13.470875025 CET	49842	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:09:13.470947981 CET	443	49842	35.190.72.216	192.168.2.6
Dec 13, 2024 12:09:13.471121073 CET	49841	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:13.471168995 CET	49841	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:13.471339941 CET	443	49841	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:13.471347094 CET	49842	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:09:13.471386909 CET	49841	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:13.507822990 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:13.507865906 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:13.507956028 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:13.509440899 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:13.509455919 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:13.556138992 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:13.578114033 CET	443	49849	151.101.65.91	192.168.2.6
Dec 13, 2024 12:09:13.578190088 CET	49849	443	192.168.2.6	151.101.65.91
Dec 13, 2024 12:09:13.581671953 CET	49849	443	192.168.2.6	151.101.65.91
Dec 13, 2024 12:09:13.581684113 CET	443	49849	151.101.65.91	192.168.2.6
Dec 13, 2024 12:09:13.582047939 CET	443	49849	151.101.65.91	192.168.2.6
Dec 13, 2024 12:09:13.584424019 CET	49849	443	192.168.2.6	151.101.65.91
Dec 13, 2024 12:09:13.584536076 CET	49849	443	192.168.2.6	151.101.65.91
Dec 13, 2024 12:09:13.584621906 CET	443	49849	151.101.65.91	192.168.2.6
Dec 13, 2024 12:09:13.591072083 CET	49849	443	192.168.2.6	151.101.65.91
Dec 13, 2024 12:09:13.592752934 CET	49852	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.592788935 CET	443	49852	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.592989922 CET	49852	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.593019009 CET	49852	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.593024969 CET	443	49852	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.595004082 CET	49853	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.595038891 CET	443	49853	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.595417023 CET	49853	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.595572948 CET	49853	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.595583916 CET	443	49853	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.597160101 CET	443	49850	35.201.103.21	192.168.2.6
Dec 13, 2024 12:09:13.597533941 CET	49854	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.597549915 CET	443	49854	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.597640038 CET	49850	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:09:13.597659111 CET	49854	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.600331068 CET	49854	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:13.600347042 CET	443	49854	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:13.602883101 CET	49850	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:09:13.602893114 CET	443	49850	35.201.103.21	192.168.2.6
Dec 13, 2024 12:09:13.602972031 CET	49850	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:09:13.603071928 CET	443	49850	35.201.103.21	192.168.2.6
Dec 13, 2024 12:09:13.603466034 CET	49850	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:09:13.614425898 CET	49855	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:13.614480972 CET	443	49855	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:13.614547968 CET	49855	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:13.614670992 CET	49855	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:13.614687920 CET	443	49855	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:13.751360893 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:13.754431009 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:13.795368910 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:13.874336004 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:14.069122076 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:14.111888885 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:14.722553015 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:14.722645044 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:14.727309942 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:14.727344036 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:14.727394104 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:14.727715015 CET	443	49851	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:14.728617907 CET	49851	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:14.730551004 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:14.810195923 CET	443	49852	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.810271978 CET	49852	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.810646057 CET	443	49854	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.811333895 CET	49854	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.811356068 CET	443	49853	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.813376904 CET	49852	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.813386917 CET	443	49852	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.813548088 CET	49853	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.813632965 CET	443	49852	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.816184998 CET	49854	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.816200972 CET	443	49854	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.816431046 CET	443	49854	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.818564892 CET	49853	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.818578959 CET	443	49853	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.818825960 CET	443	49853	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.822935104 CET	49852	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.822935104 CET	49852	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.823117018 CET	443	49852	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.823220968 CET	49853	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.823280096 CET	49853	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.823415041 CET	443	49853	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.823628902 CET	49854	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.823695898 CET	49854	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.823802948 CET	443	49854	35.244.181.201	192.168.2.6
Dec 13, 2024 12:09:14.823923111 CET	49853	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.823950052 CET	49852	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.824060917 CET	49854	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:09:14.824485064 CET	443	49855	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:14.825624943 CET	49855	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:14.828519106 CET	49855	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:14.828531981 CET	443	49855	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:14.829051018 CET	443	49855	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:14.830861092 CET	49855	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:14.830925941 CET	49855	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:14.831115961 CET	443	49855	34.149.100.209	192.168.2.6
Dec 13, 2024 12:09:14.832541943 CET	49855	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:09:14.850451946 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:15.046164989 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:15.049283028 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:15.099201918 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:15.169030905 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:15.363974094 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:15.403815031 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:25.059832096 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:25.179682970 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:25.376372099 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:25.496170998 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:34.843755007 CET	49912	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:34.843801022 CET	443	49912	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:34.854999065 CET	49912	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:34.856450081 CET	49912	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:34.856470108 CET	443	49912	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:35.020235062 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:35.140506983 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:35.341557026 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:35.345148087 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:35.395095110 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:35.465014935 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:35.660188913 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:35.705809116 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:36.081459045 CET	443	49912	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:36.081501007 CET	443	49912	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:36.081546068 CET	49912	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:36.086951971 CET	49912	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:36.086978912 CET	443	49912	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:36.087061882 CET	49912	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:36.087532997 CET	443	49912	34.107.243.93	192.168.2.6
Dec 13, 2024 12:09:36.088094950 CET	49912	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:09:36.089792013 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:36.211195946 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:36.404812098 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:36.407937050 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:36.447700024 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:36.527663946 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:36.722445965 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:36.767503977 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:42.481687069 CET	49928	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.481724977 CET	443	49928	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.482289076 CET	49928	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.482289076 CET	49928	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.482321978 CET	443	49928	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.484040022 CET	49929	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.484087944 CET	443	49929	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.489136934 CET	49930	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.489157915 CET	443	49930	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.489305973 CET	49931	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.489320993 CET	443	49931	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.490382910 CET	49929	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.490446091 CET	49931	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.490571022 CET	49930	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.490572929 CET	49929	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.490586996 CET	443	49929	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.490881920 CET	49931	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.490896940 CET	443	49931	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.490938902 CET	49930	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.490957022 CET	443	49930	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.491871119 CET	49932	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.491916895 CET	443	49932	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.492078066 CET	49932	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.492166042 CET	49932	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.492182016 CET	443	49932	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.493964911 CET	49933	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.493990898 CET	443	49933	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:42.494216919 CET	49933	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.494364977 CET	49933	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:42.494385004 CET	443	49933	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.696441889 CET	443	49928	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.696528912 CET	49928	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.699872971 CET	49928	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.699898958 CET	443	49928	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.700197935 CET	443	49928	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.702935934 CET	49928	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.702935934 CET	49928	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.703103065 CET	443	49928	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.703388929 CET	49939	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.703416109 CET	443	49939	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.705045938 CET	49928	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.705045938 CET	49939	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.705498934 CET	49939	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.705513000 CET	443	49939	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.706248999 CET	443	49929	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.707192898 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:43.707775116 CET	49929	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.710699081 CET	49929	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.710709095 CET	443	49929	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.711031914 CET	443	49929	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.712367058 CET	443	49933	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.712500095 CET	49933	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.712529898 CET	443	49932	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.712747097 CET	443	49931	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.712826967 CET	443	49930	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.712990046 CET	49932	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.714787960 CET	49933	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.714797020 CET	443	49933	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.714968920 CET	49931	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.715042114 CET	443	49933	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.715339899 CET	49930	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.717776060 CET	49930	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.717782974 CET	443	49930	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.718180895 CET	443	49930	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.720091105 CET	49931	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.720101118 CET	443	49931	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.720472097 CET	443	49931	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.722902060 CET	49932	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.722914934 CET	443	49932	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.723160982 CET	443	49932	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.723541021 CET	49929	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.723737001 CET	443	49929	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.724327087 CET	49929	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.724334955 CET	443	49929	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.727247953 CET	49940	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.727277994 CET	443	49940	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.727442980 CET	49940	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.728677988 CET	49940	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.728689909 CET	443	49940	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.729496002 CET	49933	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.729676008 CET	443	49933	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.729808092 CET	49933	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.729815006 CET	443	49933	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.729882956 CET	49930	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.729984999 CET	49930	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.730284929 CET	443	49930	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.730312109 CET	49931	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.730375051 CET	49931	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.730495930 CET	443	49931	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.730846882 CET	49932	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.730846882 CET	49932	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.731020927 CET	49931	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.731021881 CET	49933	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.731112003 CET	49930	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.731240034 CET	443	49932	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.731347084 CET	49932	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:43.827143908 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:43.939333916 CET	443	49929	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:43.939836025 CET	49929	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.021750927 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:44.024831057 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:44.074922085 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:44.145108938 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:44.340459108 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:44.391422987 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:44.917574883 CET	443	49939	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:44.917651892 CET	49939	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.920681953 CET	49939	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.920691013 CET	443	49939	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:44.920953035 CET	443	49939	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:44.922871113 CET	49939	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.923011065 CET	49939	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.923042059 CET	443	49939	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:44.923186064 CET	49939	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.926028013 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:44.941200972 CET	443	49940	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:44.941292048 CET	49940	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.944436073 CET	49940	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.944442987 CET	443	49940	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:44.944768906 CET	443	49940	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:44.946520090 CET	49940	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.946621895 CET	49940	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:44.946695089 CET	443	49940	34.120.208.123	192.168.2.6
Dec 13, 2024 12:09:44.947515011 CET	49940	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:09:45.047916889 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:45.240631104 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:45.257847071 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:45.294090033 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:45.377655983 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:45.572539091 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:45.617507935 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:55.254600048 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:55.374449968 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:09:55.593303919 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:09:55.713063002 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:05.384736061 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:05.505453110 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:05.723432064 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:05.843218088 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:15.515074968 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:15.634808064 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:15.853738070 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:15.975018024 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:16.909708977 CET	50018	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:10:16.909756899 CET	443	50018	34.107.243.93	192.168.2.6
Dec 13, 2024 12:10:16.919321060 CET	50018	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:10:16.921031952 CET	50018	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:10:16.921066999 CET	443	50018	34.107.243.93	192.168.2.6
Dec 13, 2024 12:10:18.138509035 CET	443	50018	34.107.243.93	192.168.2.6
Dec 13, 2024 12:10:18.138528109 CET	443	50018	34.107.243.93	192.168.2.6
Dec 13, 2024 12:10:18.145865917 CET	50018	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:10:18.152729988 CET	50018	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:10:18.152745962 CET	443	50018	34.107.243.93	192.168.2.6
Dec 13, 2024 12:10:18.152846098 CET	50018	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:10:18.153031111 CET	443	50018	34.107.243.93	192.168.2.6
Dec 13, 2024 12:10:18.153677940 CET	50018	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:10:18.155661106 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:18.275393963 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:18.471962929 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:18.475605011 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:18.523947954 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:18.595488071 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:18.790369987 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:18.840487957 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:28.491242886 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:28.611782074 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:28.792129040 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:28.912081003 CET	80	49770	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:38.629070044 CET	49778	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:38.748733044 CET	80	49778	34.107.221.82	192.168.2.6
Dec 13, 2024 12:10:38.919984102 CET	49770	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:10:39.039982080 CET	80	49770	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 12:08:44.416228056 CET	53846	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:44.554224968 CET	53	53846	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:44.569310904 CET	53381	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:44.707463026 CET	53	53381	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:44.890495062 CET	60502	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:44.890810966 CET	55073	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:45.028167009 CET	53	60502	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:45.051413059 CET	53439	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:45.051556110 CET	57387	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:45.188556910 CET	53	53439	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:45.189228058 CET	58045	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:45.189661026 CET	53	57387	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:45.190138102 CET	53292	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:45.326971054 CET	53	58045	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:45.327354908 CET	53	53292	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:45.806370020 CET	59244	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:45.842909098 CET	61501	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:45.947895050 CET	53	59244	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:45.981641054 CET	53	61501	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:46.722129107 CET	56793	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:46.722619057 CET	59426	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:46.751089096 CET	65491	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:46.764168024 CET	54018	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:46.860192060 CET	53	56793	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:46.860953093 CET	62523	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:46.862085104 CET	53	59426	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:46.862616062 CET	58624	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:46.866601944 CET	57245	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:46.889202118 CET	53	65491	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:46.892201900 CET	59697	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:46.901823044 CET	53	54018	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:46.974157095 CET	53459	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:47.001400948 CET	53	62523	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:47.003192902 CET	53	58624	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:47.006455898 CET	53	57245	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:47.008023024 CET	64549	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:47.113276958 CET	53	53459	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:47.146111965 CET	53	64549	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:47.407510996 CET	61250	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:47.544795990 CET	53	61250	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:47.575274944 CET	54088	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:47.719804049 CET	53	54088	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:50.806355953 CET	54747	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:50.889843941 CET	64412	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:50.944180965 CET	53	54747	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:50.945163965 CET	60355	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:51.083115101 CET	53	60355	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:51.084239006 CET	64963	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:51.223095894 CET	53	64963	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:51.413008928 CET	55943	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:51.482635021 CET	53	58017	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:51.550416946 CET	53	55943	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:51.553153992 CET	51023	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:51.690258026 CET	53	51023	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:51.692107916 CET	50492	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:52.026595116 CET	53	50492	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:52.032377005 CET	53746	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:52.064171076 CET	65122	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:52.169434071 CET	53	53746	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:52.170157909 CET	54266	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:52.201987028 CET	53	65122	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:52.203270912 CET	63206	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:52.307382107 CET	53	54266	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:52.340775967 CET	53	63206	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:52.369534016 CET	59120	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:52.508940935 CET	53	59120	1.1.1.1	192.168.2.6
Dec 13, 2024 12:08:59.245697021 CET	56285	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:08:59.383414984 CET	53	56285	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.097373009 CET	54246	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.097646952 CET	61247	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.098553896 CET	57993	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.234961033 CET	53	61247	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.235702991 CET	51522	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.236618042 CET	53	54246	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.237436056 CET	53	57993	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.238009930 CET	56070	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.238636971 CET	59925	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.375602007 CET	53	56070	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.376988888 CET	53	59925	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.380474091 CET	53	51522	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.386847019 CET	50854	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.397690058 CET	63045	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.397690058 CET	58014	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.534941912 CET	53	63045	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.536014080 CET	63529	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.536825895 CET	53	58014	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.537466049 CET	51223	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.618921995 CET	53	50854	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.621035099 CET	55500	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.673839092 CET	53	63529	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.674683094 CET	54007	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.681683064 CET	53	51223	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.683952093 CET	60256	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.760859013 CET	53	55500	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.818763971 CET	53	54007	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.820653915 CET	58620	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.822598934 CET	53	60256	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.823117018 CET	51635	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:01.958132029 CET	53	58620	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:01.966154099 CET	53	51635	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:12.204982042 CET	58412	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:12.219697952 CET	49541	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:12.235327005 CET	64291	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:12.342648029 CET	53	58412	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:12.361139059 CET	53	49541	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:12.362299919 CET	53098	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:12.376759052 CET	53	64291	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:12.378799915 CET	56671	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:12.500509977 CET	53	53098	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:12.501378059 CET	61221	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:12.520956993 CET	53	56671	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:12.521717072 CET	59994	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:12.661269903 CET	53	59994	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:12.732968092 CET	53	61221	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:13.343723059 CET	57724	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:13.483778954 CET	53	57724	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:13.507406950 CET	56083	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:13.646095991 CET	53	56083	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:34.844779015 CET	63291	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:34.983253002 CET	53	63291	1.1.1.1	192.168.2.6
Dec 13, 2024 12:09:35.020546913 CET	63716	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:42.482055902 CET	59619	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:09:42.621917963 CET	53	59619	1.1.1.1	192.168.2.6
Dec 13, 2024 12:10:16.765280962 CET	51272	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:10:16.906169891 CET	53	51272	1.1.1.1	192.168.2.6
Dec 13, 2024 12:10:16.910590887 CET	59959	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:10:17.052709103 CET	53	59959	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 12:08:44.416228056 CET	192.168.2.6	1.1.1.1	0xef04	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:44.569310904 CET	192.168.2.6	1.1.1.1	0xc099	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:08:44.890495062 CET	192.168.2.6	1.1.1.1	0x62fc	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:44.890810966 CET	192.168.2.6	1.1.1.1	0x2d44	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.051413059 CET	192.168.2.6	1.1.1.1	0xf0da	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.051556110 CET	192.168.2.6	1.1.1.1	0xe1a6	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.189228058 CET	192.168.2.6	1.1.1.1	0x5220	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 12:08:45.190138102 CET	192.168.2.6	1.1.1.1	0x668f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:08:45.806370020 CET	192.168.2.6	1.1.1.1	0xf81b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.842909098 CET	192.168.2.6	1.1.1.1	0x84ef	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.722129107 CET	192.168.2.6	1.1.1.1	0x4ef2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.722619057 CET	192.168.2.6	1.1.1.1	0x6944	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.751089096 CET	192.168.2.6	1.1.1.1	0xeb74	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.764168024 CET	192.168.2.6	1.1.1.1	0x2e18	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.860953093 CET	192.168.2.6	1.1.1.1	0x4688	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:08:46.862616062 CET	192.168.2.6	1.1.1.1	0xa993	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:08:46.866601944 CET	192.168.2.6	1.1.1.1	0x4b84	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.892201900 CET	192.168.2.6	1.1.1.1	0x96d1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.974157095 CET	192.168.2.6	1.1.1.1	0x8e20	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:47.008023024 CET	192.168.2.6	1.1.1.1	0x3df	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:08:47.407510996 CET	192.168.2.6	1.1.1.1	0x178f	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:47.575274944 CET	192.168.2.6	1.1.1.1	0xc926	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:08:50.806355953 CET	192.168.2.6	1.1.1.1	0x57ad	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:50.889843941 CET	192.168.2.6	1.1.1.1	0x4e93	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:50.945163965 CET	192.168.2.6	1.1.1.1	0xace3	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:51.084239006 CET	192.168.2.6	1.1.1.1	0x7616	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:08:51.413008928 CET	192.168.2.6	1.1.1.1	0x210e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:51.553153992 CET	192.168.2.6	1.1.1.1	0xb97b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:51.692107916 CET	192.168.2.6	1.1.1.1	0xcf4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:08:52.032377005 CET	192.168.2.6	1.1.1.1	0xd859	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:52.064171076 CET	192.168.2.6	1.1.1.1	0xd7b8	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:52.170157909 CET	192.168.2.6	1.1.1.1	0xec3d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:08:52.203270912 CET	192.168.2.6	1.1.1.1	0x1635	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:52.369534016 CET	192.168.2.6	1.1.1.1	0xb785	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:08:59.245697021 CET	192.168.2.6	1.1.1.1	0xa16	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:09:01.097373009 CET	192.168.2.6	1.1.1.1	0x2ae2	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.097646952 CET	192.168.2.6	1.1.1.1	0x44d1	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.098553896 CET	192.168.2.6	1.1.1.1	0xa133	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.235702991 CET	192.168.2.6	1.1.1.1	0x34cb	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.238009930 CET	192.168.2.6	1.1.1.1	0x2265	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.238636971 CET	192.168.2.6	1.1.1.1	0x6c19	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.386847019 CET	192.168.2.6	1.1.1.1	0xce93	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 12:09:01.397690058 CET	192.168.2.6	1.1.1.1	0xefd5	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 12:09:01.397690058 CET	192.168.2.6	1.1.1.1	0x3965	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 12:09:01.536014080 CET	192.168.2.6	1.1.1.1	0x31cd	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.537466049 CET	192.168.2.6	1.1.1.1	0xe046	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.621035099 CET	192.168.2.6	1.1.1.1	0xe3f2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:09:01.674683094 CET	192.168.2.6	1.1.1.1	0x5d9b	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.683952093 CET	192.168.2.6	1.1.1.1	0x5df9	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.820653915 CET	192.168.2.6	1.1.1.1	0x43f7	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 12:09:01.823117018 CET	192.168.2.6	1.1.1.1	0x2656	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 12:09:12.204982042 CET	192.168.2.6	1.1.1.1	0xff64	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:09:12.219697952 CET	192.168.2.6	1.1.1.1	0x9132	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.235327005 CET	192.168.2.6	1.1.1.1	0x6ab5	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.362299919 CET	192.168.2.6	1.1.1.1	0xba2d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.378799915 CET	192.168.2.6	1.1.1.1	0x9a38	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.501378059 CET	192.168.2.6	1.1.1.1	0x2f1d	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 12:09:12.521717072 CET	192.168.2.6	1.1.1.1	0x6a0a	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:09:13.343723059 CET	192.168.2.6	1.1.1.1	0x4899	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:13.507406950 CET	192.168.2.6	1.1.1.1	0xfdc8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:09:34.844779015 CET	192.168.2.6	1.1.1.1	0x1a6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:09:35.020546913 CET	192.168.2.6	1.1.1.1	0xec2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:42.482055902 CET	192.168.2.6	1.1.1.1	0xefe5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:10:16.765280962 CET	192.168.2.6	1.1.1.1	0x3f29	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:10:16.910590887 CET	192.168.2.6	1.1.1.1	0x3f69	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 12:08:44.413158894 CET	1.1.1.1	192.168.2.6	0x3910	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:44.554224968 CET	1.1.1.1	192.168.2.6	0xef04	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.028167009 CET	1.1.1.1	192.168.2.6	0x62fc	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.028186083 CET	1.1.1.1	192.168.2.6	0x2d44	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:45.028186083 CET	1.1.1.1	192.168.2.6	0x2d44	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.188556910 CET	1.1.1.1	192.168.2.6	0xf0da	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.189661026 CET	1.1.1.1	192.168.2.6	0xe1a6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.326971054 CET	1.1.1.1	192.168.2.6	0x5220	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 12:08:45.327354908 CET	1.1.1.1	192.168.2.6	0x668f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 12:08:45.947895050 CET	1.1.1.1	192.168.2.6	0xf81b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:45.981641054 CET	1.1.1.1	192.168.2.6	0x84ef	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:45.981641054 CET	1.1.1.1	192.168.2.6	0x84ef	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.860192060 CET	1.1.1.1	192.168.2.6	0x4ef2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.862085104 CET	1.1.1.1	192.168.2.6	0x6944	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.865652084 CET	1.1.1.1	192.168.2.6	0x87b6	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:46.865652084 CET	1.1.1.1	192.168.2.6	0x87b6	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.889202118 CET	1.1.1.1	192.168.2.6	0xeb74	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.901823044 CET	1.1.1.1	192.168.2.6	0x2e18	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:46.901823044 CET	1.1.1.1	192.168.2.6	0x2e18	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:47.006455898 CET	1.1.1.1	192.168.2.6	0x4b84	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:47.029566050 CET	1.1.1.1	192.168.2.6	0x96d1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:47.029566050 CET	1.1.1.1	192.168.2.6	0x96d1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:47.113276958 CET	1.1.1.1	192.168.2.6	0x8e20	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:47.113276958 CET	1.1.1.1	192.168.2.6	0x8e20	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:47.113276958 CET	1.1.1.1	192.168.2.6	0x8e20	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:47.544795990 CET	1.1.1.1	192.168.2.6	0x178f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:47.719804049 CET	1.1.1.1	192.168.2.6	0xc926	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 12:08:50.944180965 CET	1.1.1.1	192.168.2.6	0x57ad	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:50.944180965 CET	1.1.1.1	192.168.2.6	0x57ad	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:50.944180965 CET	1.1.1.1	192.168.2.6	0x57ad	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:51.083115101 CET	1.1.1.1	192.168.2.6	0xace3	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:51.113153934 CET	1.1.1.1	192.168.2.6	0x4e93	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:51.550416946 CET	1.1.1.1	192.168.2.6	0x210e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:51.690258026 CET	1.1.1.1	192.168.2.6	0xb97b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:52.028635979 CET	1.1.1.1	192.168.2.6	0xc544	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:52.028635979 CET	1.1.1.1	192.168.2.6	0xc544	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:52.028667927 CET	1.1.1.1	192.168.2.6	0x3ac	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:52.169434071 CET	1.1.1.1	192.168.2.6	0xd859	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:52.201987028 CET	1.1.1.1	192.168.2.6	0xd7b8	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:52.201987028 CET	1.1.1.1	192.168.2.6	0xd7b8	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:52.340775967 CET	1.1.1.1	192.168.2.6	0x1635	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:56.526376009 CET	1.1.1.1	192.168.2.6	0xc84d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:58.731550932 CET	1.1.1.1	192.168.2.6	0x615c	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:08:58.731550932 CET	1.1.1.1	192.168.2.6	0x615c	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:08:58.731550932 CET	1.1.1.1	192.168.2.6	0x615c	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.234961033 CET	1.1.1.1	192.168.2.6	0x44d1	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:09:01.234961033 CET	1.1.1.1	192.168.2.6	0x44d1	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.236618042 CET	1.1.1.1	192.168.2.6	0x2ae2	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.237436056 CET	1.1.1.1	192.168.2.6	0xa133	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:09:01.237436056 CET	1.1.1.1	192.168.2.6	0xa133	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.375602007 CET	1.1.1.1	192.168.2.6	0x2265	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.376988888 CET	1.1.1.1	192.168.2.6	0x6c19	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.380474091 CET	1.1.1.1	192.168.2.6	0x34cb	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.534941912 CET	1.1.1.1	192.168.2.6	0xefd5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 12:09:01.534941912 CET	1.1.1.1	192.168.2.6	0xefd5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 12:09:01.534941912 CET	1.1.1.1	192.168.2.6	0xefd5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 12:09:01.534941912 CET	1.1.1.1	192.168.2.6	0xefd5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 12:09:01.536825895 CET	1.1.1.1	192.168.2.6	0x3965	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 12:09:01.618921995 CET	1.1.1.1	192.168.2.6	0xce93	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 12:09:01.673839092 CET	1.1.1.1	192.168.2.6	0x31cd	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:09:01.673839092 CET	1.1.1.1	192.168.2.6	0x31cd	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.673839092 CET	1.1.1.1	192.168.2.6	0x31cd	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.673839092 CET	1.1.1.1	192.168.2.6	0x31cd	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.673839092 CET	1.1.1.1	192.168.2.6	0x31cd	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.681683064 CET	1.1.1.1	192.168.2.6	0xe046	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.818763971 CET	1.1.1.1	192.168.2.6	0x5d9b	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.818763971 CET	1.1.1.1	192.168.2.6	0x5d9b	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.818763971 CET	1.1.1.1	192.168.2.6	0x5d9b	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.818763971 CET	1.1.1.1	192.168.2.6	0x5d9b	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:01.822598934 CET	1.1.1.1	192.168.2.6	0x5df9	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.361139059 CET	1.1.1.1	192.168.2.6	0x9132	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.361139059 CET	1.1.1.1	192.168.2.6	0x9132	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.361139059 CET	1.1.1.1	192.168.2.6	0x9132	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.361139059 CET	1.1.1.1	192.168.2.6	0x9132	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.376759052 CET	1.1.1.1	192.168.2.6	0x6ab5	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:09:12.376759052 CET	1.1.1.1	192.168.2.6	0x6ab5	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.500509977 CET	1.1.1.1	192.168.2.6	0xba2d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.500509977 CET	1.1.1.1	192.168.2.6	0xba2d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.500509977 CET	1.1.1.1	192.168.2.6	0xba2d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.500509977 CET	1.1.1.1	192.168.2.6	0xba2d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.520956993 CET	1.1.1.1	192.168.2.6	0x9a38	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:12.732968092 CET	1.1.1.1	192.168.2.6	0x2f1d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 12:09:12.732968092 CET	1.1.1.1	192.168.2.6	0x2f1d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 12:09:12.732968092 CET	1.1.1.1	192.168.2.6	0x2f1d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 12:09:12.732968092 CET	1.1.1.1	192.168.2.6	0x2f1d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 12:09:13.483778954 CET	1.1.1.1	192.168.2.6	0x4899	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:15.710670948 CET	1.1.1.1	192.168.2.6	0x9aa1	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:09:15.710670948 CET	1.1.1.1	192.168.2.6	0x9aa1	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:09:24.322271109 CET	1.1.1.1	192.168.2.6	0xe8b2	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:24.322271109 CET	1.1.1.1	192.168.2.6	0xe8b2	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:09:35.158783913 CET	1.1.1.1	192.168.2.6	0xec2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:09:35.158783913 CET	1.1.1.1	192.168.2.6	0xec2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:10:16.906169891 CET	1.1.1.1	192.168.2.6	0x3f29	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49751	34.107.221.82	80	7856	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 12:08:45.166208982 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:08:46.255412102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69380 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:08:47.436582088 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:08:47.752034903 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69381 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49761	34.107.221.82	80	7856	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 12:08:47.539933920 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49770	34.107.221.82	80	7856	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 12:08:49.093096972 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:08:50.194495916 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73870 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:08:52.066222906 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:08:52.382606030 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73872 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:08:56.386492014 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:08:56.701405048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73876 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:08:57.092201948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:08:57.394912958 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:08:57.600871086 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73877 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:08:59.025322914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:08:59.340853930 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73879 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:01.096873045 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:01.412972927 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73881 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:01.428143024 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:01.743196011 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73881 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:05.580370903 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:05.896256924 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73885 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:13.754431009 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:14.069122076 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73893 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:15.049283028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:15.363974094 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73895 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:25.376372099 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:09:35.345148087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:35.660188913 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73915 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:36.407937050 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:36.722445965 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73916 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:44.024831057 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:44.340459108 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73924 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:45.257847071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:09:45.572539091 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73925 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:09:55.593303919 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:10:05.723432064 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:10:15.853738070 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:10:18.475605011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:10:18.790369987 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 73958 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:10:28.792129040 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:10:38.919984102 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49778	34.107.221.82	80	7856	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 12:08:50.883603096 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:08:52.029997110 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85869 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:08:52.070008993 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:08:52.386010885 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85870 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:08:56.387715101 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:08:56.702142000 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85874 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:08:57.676620960 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:08:57.991441965 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85875 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:08:59.034337997 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:08:59.348839998 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85877 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:01.110259056 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:09:01.425195932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85879 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:04.121876001 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:09:04.450824976 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85882 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:13.436306953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:09:13.751360893 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85891 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:14.730551004 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:09:15.046164989 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:25.059832096 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:09:35.020235062 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:09:35.341557026 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85913 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:36.089792013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:09:36.404812098 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85914 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:43.707192898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:09:44.021750927 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85921 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:44.926028013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:09:45.240631104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85923 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:09:55.254600048 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:10:05.384736061 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:10:15.515074968 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:10:18.155661106 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:10:18.471962929 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 85956 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:10:28.491242886 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:10:38.629070044 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	2
Start time:	06:08:33
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x310000
File size:	972'288 bytes
MD5 hash:	5860A1BB4E76AF912BA6A63AC572F7F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:08:34
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x4d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:08:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:08:37
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x4d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:08:37
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:08:38
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x4d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:08:38
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:08:39
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x4d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:08:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:08:39
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x4d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:08:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:08:39
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:08:39
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:08:39
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	06:08:41
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ec77ec-d1a5-411a-81c5-cb2ea8506a6f} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1eb9736d310 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	06:08:43
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20230927232528 -prefsHandle 4472 -prefMapHandle 4468 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e67dc527-9b5e-4fa0-8f66-4b4329fa3a1d} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1eba9857d10 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	06:08:50
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10a99be9-5a4d-4909-a214-281fca8c768f} 7856 "\\.\pipe\gecko-crash-server-pipe.7856" 1ebb345a910 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.2%
Total number of Nodes:	1753
Total number of Limit Nodes:	51

Executed Functions

Function 003142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0031430D

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

GetCurrentProcess.KERNEL32(?,003ACB64,00000000,?,?), ref: 00314422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00314429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00314454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00314466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00314474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0031447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003144A0

Strings

GetNativeSystemInfo, xrefs: 00314460
kernel32.dll, xrefs: 0031444F
|O, xrefs: 003536F8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 906d5f2b095c491f57dbf79d0b7fed6b26ce37efee7df7d8093e7bb215938cfd
Instruction ID: c6ba79c61e2e33984fbb78a9b6d027739ccf64eb38cbb82efba9e02c20f621ad
Opcode Fuzzy Hash: 906d5f2b095c491f57dbf79d0b7fed6b26ce37efee7df7d8093e7bb215938cfd
Instruction Fuzzy Hash: D5A1C57DA1A2C0CFC737C76A7CC05D97FAC6B2A741F085A99D4819BAA2D6304948CB31

Function 003142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003150AA,?,?,00000000,00000000), ref: 003142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003150AA,?,?,00000000,00000000), ref: 003142C9
LoadResource.KERNEL32(?,00000000,?,?,003150AA,?,?,00000000,00000000,?,?,?,?,?,?,00314F20), ref: 003535BE
SizeofResource.KERNEL32(?,00000000,?,?,003150AA,?,?,00000000,00000000,?,?,?,?,?,?,00314F20), ref: 003535D3
LockResource.KERNEL32(003150AA,?,?,003150AA,?,?,00000000,00000000,?,?,?,?,?,?,00314F20,?), ref: 003535E6

Strings

SCRIPT, xrefs: 003142BF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 99080b14531a26d37785d6c43fe4f044bac945426f7cf37042571076114cfe1b
Instruction ID: 73d79c0caa2697fd87caf03831dc6148bedc20c0f35e9456a9cca82fcb206006
Opcode Fuzzy Hash: 99080b14531a26d37785d6c43fe4f044bac945426f7cf37042571076114cfe1b
Instruction Fuzzy Hash: 24117C70200700BFDB268B65DC48F677BBEEBCAB51F104969F40296260DB71D841C620

Function 00352BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00312B6B

Part of subcall function 00313A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003E1418,?,00312E7F,?,?,?,00000000), ref: 00313A78

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,003D2224), ref: 00352C10
ShellExecuteW.SHELL32(00000000,?,?,003D2224), ref: 00352C17

Strings

runas, xrefs: 00352C0B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: db14023741d61e2e4d61c3ad29304bece4cdb32661a8d5c05262690b18de2eef
Instruction ID: ed283aff90894e0409aa245375ba3bf7c41d478130764576040d74a8ae8c5bf5
Opcode Fuzzy Hash: db14023741d61e2e4d61c3ad29304bece4cdb32661a8d5c05262690b18de2eef
Instruction Fuzzy Hash: BF11A2312083455AC71FFF60D861AEE77A89F9E350F44592EF1821A1E2CF319A899752

Function 0037D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0037D501
Process32FirstW.KERNEL32(00000000,?), ref: 0037D50F
Process32NextW.KERNEL32(00000000,?), ref: 0037D52F
CloseHandle.KERNEL32(00000000), ref: 0037D5DC

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b8b50e7b182bd3e9f6f0fefc918121c9ec9233df5c3e2ed37eccd9354b94189b
Instruction ID: ac2ed0b9016b96df9e93bc0bc47bac93976dd121be15497e22bfa371f8eeb05a
Opcode Fuzzy Hash: b8b50e7b182bd3e9f6f0fefc918121c9ec9233df5c3e2ed37eccd9354b94189b
Instruction Fuzzy Hash: FA31D6711083009FD316EF54C891AAFBBF8EF9A354F10492DF585971A1EB719988CB92

Function 0037DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00355222), ref: 0037DBCE
GetFileAttributesW.KERNEL32(?), ref: 0037DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0037DBEE
FindClose.KERNEL32(00000000), ref: 0037DBFA

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f25668f8e4644c930b87a10810dad347558a84acb73387640f8ad19cfc20ca04
Instruction ID: daef4764e015bd921c1da9a71351b02b15062fefac9ec5a0d6c26068fc88153e
Opcode Fuzzy Hash: f25668f8e4644c930b87a10810dad347558a84acb73387640f8ad19cfc20ca04
Instruction Fuzzy Hash: 3DF0A03082091957C2336B78AC0D8AA37BC9E02334F108B02F83AC20E0EBB45D548695

Function 0036D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0036D220

Strings

%.3d, xrefs: 0036D22B
X64, xrefs: 0036D2A8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: efdb73e6acc205b2d66665f26b00c653295bdf4ab694896b9c698268f12fb39a
Instruction ID: 95622d37c0538d05a35365c1cc101003bad9314ae444f29d57f3518035cbd93d
Opcode Fuzzy Hash: efdb73e6acc205b2d66665f26b00c653295bdf4ab694896b9c698268f12fb39a
Instruction Fuzzy Hash: EFD012B1D08118E9CB9296D0DC599B9B37CBB08301F50C862F80691444E724C5086761

Function 00334CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003428E9,?,00334CBE,003428E9,003D88B8,0000000C,00334E15,003428E9,00000002,00000000,?,003428E9), ref: 00334D09
TerminateProcess.KERNEL32(00000000,?,00334CBE,003428E9,003D88B8,0000000C,00334E15,003428E9,00000002,00000000,?,003428E9), ref: 00334D10
ExitProcess.KERNEL32 ref: 00334D22

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ddd20d7d58ee5b3cb4b14d1ec18e3476171f3818ea2d66c97a5f06befd4b5bcc
Instruction ID: 8831ed4b43d40a2caee4976128845ba365c1b904dc9895cab64df1dfffab6021
Opcode Fuzzy Hash: ddd20d7d58ee5b3cb4b14d1ec18e3476171f3818ea2d66c97a5f06befd4b5bcc
Instruction Fuzzy Hash: 41E0B631010148ABCF53AF54DD49A593B6DEB42781F114014FC059B173CB39ED42CA80

Function 0036D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0036D28C

Strings

X64, xrefs: 0036D2A8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2d0b706607ddd87b7ff36b2769ff2149601ef54fb1ca10b060ce6c898ceadb9b
Instruction ID: 8aba0c1f7ff44ec059e12a042273d53022d2ec069ce7537d126ed1b9d747522d
Opcode Fuzzy Hash: 2d0b706607ddd87b7ff36b2769ff2149601ef54fb1ca10b060ce6c898ceadb9b
Instruction Fuzzy Hash: 3ED0CAB481116DEACB92CBA0EC88DDAB3BCBB05305F108692F106A2400DB7096488F20

Function 0031BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#>, xrefs: 003607CE

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#>
API String ID: 3964851224-3564690312
Opcode ID: fb8962819d2486ee0d56fc5179a6f27dca2b7a6ad6c60cd68e442f311b7318df
Instruction ID: 1feb04b1e9504c894bdc69a5a76405b66a0bd0bf2063171ddb5bbf8bea13d0e9
Opcode Fuzzy Hash: fb8962819d2486ee0d56fc5179a6f27dca2b7a6ad6c60cd68e442f311b7318df
Instruction Fuzzy Hash: 37A28C706183408FC71ACF24C481B6BBBE5BF89304F15996DE89A8B356D771EC85CB92

Function 0039AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0039B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0039B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0039B1D4
_wcslen.LIBCMT ref: 0039B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0039B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0039B236
_wcslen.LIBCMT ref: 0039B332

Part of subcall function 003805A7: GetStdHandle.KERNEL32(000000F6), ref: 003805C6

_wcslen.LIBCMT ref: 0039B34B
_wcslen.LIBCMT ref: 0039B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0039B3B6
GetLastError.KERNEL32(00000000), ref: 0039B407
CloseHandle.KERNEL32(?), ref: 0039B439
CloseHandle.KERNEL32(00000000), ref: 0039B44A
CloseHandle.KERNEL32(00000000), ref: 0039B45C
CloseHandle.KERNEL32(00000000), ref: 0039B46E
CloseHandle.KERNEL32(?), ref: 0039B4E3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 95cce3e82268f9e6b637869e290c99e50d4224d033bdd88f0ab07fb6b260f4e2
Instruction ID: 08f0260fddbeca971b4005e54d6ac8843d75a2ddd048c0eba843af234953ffa0
Opcode Fuzzy Hash: 95cce3e82268f9e6b637869e290c99e50d4224d033bdd88f0ab07fb6b260f4e2
Instruction Fuzzy Hash: CEF1AE316043009FCB16EF24D981B6EBBE5AF89710F19885DF8858F2A2DB30EC44CB52

Function 0031D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0031D807
timeGetTime.WINMM ref: 0031DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0031DB28
TranslateMessage.USER32(?), ref: 0031DB7B
DispatchMessageW.USER32(?), ref: 0031DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0031DB9F
Sleep.KERNEL32(0000000A), ref: 0031DBB1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 322aa815d1991d256f49ed01c622c6c135e8e62f60a8f48a6cd0fb8423165d42
Instruction ID: 21cbf58ca006cef570cb6a513876404d2c5824db083314901342a8d1d28fa6cc
Opcode Fuzzy Hash: 322aa815d1991d256f49ed01c622c6c135e8e62f60a8f48a6cd0fb8423165d42
Instruction Fuzzy Hash: 4C42C370608741DFD72BCF24C884BAAB7E4BF4B314F16865DE4968B291D774E884CB92

Function 00312CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00312D07
RegisterClassExW.USER32(00000030), ref: 00312D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00312D42
InitCommonControlsEx.COMCTL32(?), ref: 00312D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00312D6F
LoadIconW.USER32(000000A9), ref: 00312D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00312D94

Strings

AutoIt v3 GUI, xrefs: 00312D23
TaskbarCreated, xrefs: 00312D37
+, xrefs: 00312CF0
0, xrefs: 00312CE9

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a5c1d97d00e8479625b026a0ad15f56dd5c8755cd363001f338fd0e5b95f9d51
Instruction ID: 1272cc75d5b1acb480b1866f43607d9a20b25155485c2174fc24e1deda472f19
Opcode Fuzzy Hash: a5c1d97d00e8479625b026a0ad15f56dd5c8755cd363001f338fd0e5b95f9d51
Instruction Fuzzy Hash: 7021C4B5921358EFDB12DFA4EC89BDDBBB8FB09700F00921AF511AA2A0D7B54544CF91

Function 0035065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0035039A: CreateFileW.KERNEL32(00000000,00000000,?,00350704,?,?,00000000,?,00350704,00000000,0000000C), ref: 003503B7

GetLastError.KERNEL32 ref: 0035076F
__dosmaperr.LIBCMT ref: 00350776
GetFileType.KERNEL32(00000000), ref: 00350782
GetLastError.KERNEL32 ref: 0035078C
__dosmaperr.LIBCMT ref: 00350795
CloseHandle.KERNEL32(00000000), ref: 003507B5
CloseHandle.KERNEL32(?), ref: 003508FF
GetLastError.KERNEL32 ref: 00350931
__dosmaperr.LIBCMT ref: 00350938

Strings

H, xrefs: 003508BD

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0ab06a5918fa5ca4acea8155e89ac21abdf2fe924afd194d9f395c8fbb90a71b
Instruction ID: 4a17ff8b930c2936f1356589c4a53016366fb31616257d9b0430a6163d9c1f09
Opcode Fuzzy Hash: 0ab06a5918fa5ca4acea8155e89ac21abdf2fe924afd194d9f395c8fbb90a71b
Instruction Fuzzy Hash: 9DA12536A001448FDF2EAF68D891BAE7BA4EB06321F140159FC11DF2E1DB369817CB91

Function 0031344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00313A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003E1418,?,00312E7F,?,?,?,00000000), ref: 00313A78

Part of subcall function 00313357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00313379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0031356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0035318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003531CE
RegCloseKey.ADVAPI32(?), ref: 00353210
_wcslen.LIBCMT ref: 00353277
_wcslen.LIBCMT ref: 00353286

Strings

\Include\, xrefs: 00313527
\, xrefs: 0035328C
Include, xrefs: 00353184, 003531C5
Software\AutoIt v3\AutoIt, xrefs: 00313560

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 33dd872e8d5d076d04c3524b03fe80d294e41a56817f669c4993f0c8e902fd52
Instruction ID: 8f94f5f4ada3011fa1ef426d1fabc8ce4f3b2fff2c0e7fc939d988b2199e98c6
Opcode Fuzzy Hash: 33dd872e8d5d076d04c3524b03fe80d294e41a56817f669c4993f0c8e902fd52
Instruction Fuzzy Hash: 81716F755043409EC31ADF65DC829ABBBECFF89740F40092EF5459B2A0DB749A88CF61

Function 00312B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00312B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00312B9D
LoadIconW.USER32(00000063), ref: 00312BB3
LoadIconW.USER32(000000A4), ref: 00312BC5
LoadIconW.USER32(000000A2), ref: 00312BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00312BEF
RegisterClassExW.USER32(?), ref: 00312C40

Part of subcall function 00312CD4: GetSysColorBrush.USER32(0000000F), ref: 00312D07
Part of subcall function 00312CD4: RegisterClassExW.USER32(00000030), ref: 00312D31
Part of subcall function 00312CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00312D42
Part of subcall function 00312CD4: InitCommonControlsEx.COMCTL32(?), ref: 00312D5F
Part of subcall function 00312CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00312D6F
Part of subcall function 00312CD4: LoadIconW.USER32(000000A9), ref: 00312D85
Part of subcall function 00312CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00312D94

Strings

#, xrefs: 00312C16
AutoIt v3, xrefs: 00312C2F
0, xrefs: 00312C0F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1ba625ce71f3b3498dfc251e3b0f63f444f5d3cfd49b93020e1f1c831a93f4f4
Instruction ID: 602e9904588bf21f118446498aa1fe43e0abd3a340e6704ba6dc3ad7c17d7527
Opcode Fuzzy Hash: 1ba625ce71f3b3498dfc251e3b0f63f444f5d3cfd49b93020e1f1c831a93f4f4
Instruction Fuzzy Hash: 0D212F78E10354AFDB229F95EC95A9D7FB8FB49B50F00011AF500AA7A0D7B11540CF90

Function 0031B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0031BB4E

Strings

p%>, xrefs: 0031BB32
x#>, xrefs: 00360207
p#>, xrefs: 00360263
x#>, xrefs: 00360168
p#>, xrefs: 0031BA72
p#>, xrefs: 0031BB6B
p%>, xrefs: 0031B8DC
p#>, xrefs: 0036024F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#>$p#>$p#>$p#>$p%>$p%>$x#>$x#>
API String ID: 1385522511-3338821207
Opcode ID: 3a8339d5fb04bdc58a970bde6bd94ad9e84fab752620169a308d9265b46264fa
Instruction ID: 8278f35e74f515f51e3297d5a2794faefc8ff8eb8897c82e275f1b7f71d6a8d0
Opcode Fuzzy Hash: 3a8339d5fb04bdc58a970bde6bd94ad9e84fab752620169a308d9265b46264fa
Instruction Fuzzy Hash: 4932DD38A00249DFCB2ACF54C895AFEB7B9EF49300F258059E915AB791C774ED81CB91

Function 00313170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0031316A,?,?), ref: 003131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0031316A,?,?), ref: 00313204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00313227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0031316A,?,?), ref: 00313232
CreatePopupMenu.USER32 ref: 00313246
PostQuitMessage.USER32(00000000), ref: 00313267

Strings

TaskbarCreated, xrefs: 0031322D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 01d655ef956f5abba8ffc3d59f934cdc2fdc5f75be7f7b8eaad67de2cc85d11a
Instruction ID: 2cc2049096510b5d12b2c6a577332674723965bb661d99737d68ac3206ab9622
Opcode Fuzzy Hash: 01d655ef956f5abba8ffc3d59f934cdc2fdc5f75be7f7b8eaad67de2cc85d11a
Instruction Fuzzy Hash: 7941F535250244AADB2F7B68DD4EBFA366DE70E340F050225F9128A6E1CB71DAC197A1

Function 0031DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%>D%>, xrefs: 0031E27E
D%>, xrefs: 0031E4B1
Variable must be of type 'Object'., xrefs: 003632B7
D%>, xrefs: 0036302D
D%>, xrefs: 0031E1E0
D%>, xrefs: 00362FDA

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: D%>$D%>$D%>$D%>$D%>D%>$Variable must be of type 'Object'.
API String ID: 0-525490464
Opcode ID: 3a00f4d6e83cc0681b5ae2413ca45ed6c49161c08a438bb9da5ac253d3c2f9df
Instruction ID: 96a34e1332d288e0e1151463a456d4584dbf74422d53023959ecd02f8493a7cd
Opcode Fuzzy Hash: 3a00f4d6e83cc0681b5ae2413ca45ed6c49161c08a438bb9da5ac253d3c2f9df
Instruction Fuzzy Hash: 6DC29D75A00214CFCB2ACF58C880AADB7B5FF09310F258569ED16AB395D376ED81CB91

Function 0031EC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0031FE66

Strings

D%>, xrefs: 0031F36A
D%>D%>, xrefs: 0031F05B
D%>, xrefs: 0036491E
D%>, xrefs: 0031EFB7
D%>, xrefs: 00364972

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%>$D%>$D%>$D%>$D%>D%>
API String ID: 1385522511-2861487033
Opcode ID: 1c10ce3a4f2c2ac3bfbb305a8770db6894a3351cbc45027aa97d123533442dfe
Instruction ID: 51688d67c9afe3a851352f64dc09665c69880fc1becf7a61a3f1dcd9eac59eac
Opcode Fuzzy Hash: 1c10ce3a4f2c2ac3bfbb305a8770db6894a3351cbc45027aa97d123533442dfe
Instruction Fuzzy Hash: 78B27D74A08340CFCB2ACF14D490A6AB7F5BF89300F25896DE9959B391D771EC85CB92

Function 00311410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00311459
CoUninitialize.COMBASE ref: 003114F8
UnregisterHotKey.USER32(?), ref: 003116DD
DestroyWindow.USER32(?), ref: 003524B9
FreeLibrary.KERNEL32(?), ref: 0035251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0035254B

Strings

close all, xrefs: 00311454

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 054d45038e1a7b3f7ab2b3e4aac8948d39c2e909867d3edb93625d047d945aaa
Instruction ID: c6bdea4ffa60e80a42726deb2ead0447d65780ce8311b0321a6102293d7a14f8
Opcode Fuzzy Hash: 054d45038e1a7b3f7ab2b3e4aac8948d39c2e909867d3edb93625d047d945aaa
Instruction Fuzzy Hash: 8CD19B317012228FCB1BEF15C895EAAF7A4BF0A701F1545ADE94A6B261DB30AC56CF50

Function 0037DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0037DE42
gethostname.WS2_32(?,00000100), ref: 0037DE5C
gethostbyname.WS2_32(?), ref: 0037DE69
inet_ntoa.WSOCK32(?), ref: 0037DEAB
_strcat.LIBCMT ref: 0037DEB9
WSACleanup.WSOCK32 ref: 0037DEDE

Strings

0.0.0.0, xrefs: 0037DE87

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 50580351cd13c2d077a967604cac93cc24d868304f1f8fb157aff85cf922d4aa
Instruction ID: 848eb7de30d4107532ece559c9a5faecf48be81136e62e1f0262d8c2f85f0da0
Opcode Fuzzy Hash: 50580351cd13c2d077a967604cac93cc24d868304f1f8fb157aff85cf922d4aa
Instruction Fuzzy Hash: 9A110631904114AFDB37AB60DC4AEEE77BCDF15711F014169F449AA091EF799A818A90

Function 00312C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00312C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00312CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00311CAD,?), ref: 00312CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00311CAD,?), ref: 00312CCF

Strings

edit, xrefs: 00312CAC
AutoIt v3, xrefs: 00312C89, 00312C8E, 00312C8F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a4e1eea4b20c34ffe745b235e43b9665e0cd289e211b6a0a99677570c49c9f7a
Instruction ID: 2eec42414eccb50c4fc387f0ddcb303cb1fefcebc911b6554c5749ceb47a96f5
Opcode Fuzzy Hash: a4e1eea4b20c34ffe745b235e43b9665e0cd289e211b6a0a99677570c49c9f7a
Instruction Fuzzy Hash: 3DF0B7795502D07EEB321717AC88EB72EBDD7C7F50F00115EF900AA5E0C6B11851DAB0

Function 0036D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0036D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0036D3BF
FreeLibrary.KERNEL32(00000000), ref: 0036D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0036D3B9
X64, xrefs: 0036D2A8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 031bb0b12a75cfe644797d95ea1f8ffb7a885a143be722111dd6b11bbf795c29
Instruction ID: 2d61bcd8b16efb4f0f3db61b0a456ef1f186b93c6268acbb072bece59d5bc6a8
Opcode Fuzzy Hash: 031bb0b12a75cfe644797d95ea1f8ffb7a885a143be722111dd6b11bbf795c29
Instruction Fuzzy Hash: 67F0557DF05A708FC73317218C28969772CAF02701F66D555F443E665CDB60CC408682

Function 00313B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00313B0F,SwapMouseButtons,00000004,?), ref: 00313B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00313B0F,SwapMouseButtons,00000004,?), ref: 00313B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00313B0F,SwapMouseButtons,00000004,?), ref: 00313B83

Strings

Control Panel\Mouse, xrefs: 00313B3E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ccbc20e89a9f2e4c3499913e183c44e846a8dd9dfdc5c8a3cfdb97159c62bf9e
Instruction ID: 1edd6c82ddb94993779e3ef024eaca4ff19cdbc6a3b39dc2f310df38ccd4a73d
Opcode Fuzzy Hash: ccbc20e89a9f2e4c3499913e183c44e846a8dd9dfdc5c8a3cfdb97159c62bf9e
Instruction Fuzzy Hash: 7B112AB5524208FFDB26CFA5DC44AEFB7BCEF09744B118459A805D7110E231DE809760

Function 00313923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003533A2

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00313A04

Strings

Line: , xrefs: 003533EB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 05715f8f19c322d38f5e4530a6eb9cac2ef299370ed27458d02300ebeddd848b
Instruction ID: a357fdd3ea85f6535952af025f8b8a23b1c6f3936618e39d3c58788b3e9f68ef
Opcode Fuzzy Hash: 05715f8f19c322d38f5e4530a6eb9cac2ef299370ed27458d02300ebeddd848b
Instruction Fuzzy Hash: 7231A371508344AAC72BEB60DC46FEBB7ECAF48710F004A2AF599971D1DB709689C7C2

Function 00312DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00352C8C

Part of subcall function 00313AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00313A97,?,?,00312E7F,?,?,?,00000000), ref: 00313AC2

Part of subcall function 00312DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00312DC4

Strings

X, xrefs: 00352C5A
`e=, xrefs: 00352C85

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e=
API String ID: 779396738-3911472045
Opcode ID: 860dd81f200cb989a56047dfae68fed08623ad56cbc1dd2d6edb0307e211416f
Instruction ID: b617769f40872b5a7e6b5b3f0e2252e48eca88215e3be17ff1cd1f4650634ec4
Opcode Fuzzy Hash: 860dd81f200cb989a56047dfae68fed08623ad56cbc1dd2d6edb0307e211416f
Instruction Fuzzy Hash: AA21D571A002989FCB47DF94D846BEE7BFCAF49304F00805AE405AB241DBB49A898F61

Function 0032FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00330668

Part of subcall function 003332A4: RaiseException.KERNEL32(?,?,?,0033068A,?,003E1444,?,?,?,?,?,?,0033068A,00311129,003D8738,00311129), ref: 00333304

__CxxThrowException@8.LIBVCRUNTIME ref: 00330685

Strings

Unknown exception, xrefs: 00330692

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 24fc0f4705a70b1725dbdb2ba557981c963a442ddbd5af4b567801694e9af8e4
Instruction ID: 77a65cad5a4aba5a36e7711cb3304b5aa7cab614cb3c42ee0ef80f61ab5d549f
Opcode Fuzzy Hash: 24fc0f4705a70b1725dbdb2ba557981c963a442ddbd5af4b567801694e9af8e4
Instruction Fuzzy Hash: AAF0C23490020DBBCB07B7A4E8D6C9E777C9E00310F608531F924DA599EF71EA65C6C0

Function 003110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00311BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00311BF4
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00311BFC
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00311C07
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00311C12
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00311C1A
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00311C22

Part of subcall function 00311B4A: RegisterWindowMessageW.USER32(00000004,?,003112C4), ref: 00311BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0031136A
OleInitialize.OLE32 ref: 00311388
CloseHandle.KERNEL32(00000000,00000000), ref: 003524AB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 7719679443b7c66f3db2cc101a440ad1cea7106da5c076a1a621346036c22289
Instruction ID: 5fd1f814937faddf9e90b7a6d05e044e7bed8158b7e341d0094ad6889643b9f3
Opcode Fuzzy Hash: 7719679443b7c66f3db2cc101a440ad1cea7106da5c076a1a621346036c22289
Instruction Fuzzy Hash: 0A71A2B99113D48EC7A7DF7AA9856993AE8FB8A340B54532ED40ACF3E1E7304485CF41

Function 0037C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00313923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00313A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0037C259
KillTimer.USER32(?,00000001,?,?), ref: 0037C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0037C270

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: d22cdf499afc44bdd68e42918c3682579b31faeba51ef4e05bc614afab2a05a3
Instruction ID: a580aa0648b78adba68f07b5c74f45bbc4c66b987d4eaf8dcbc85bfd3010b19c
Opcode Fuzzy Hash: d22cdf499afc44bdd68e42918c3682579b31faeba51ef4e05bc614afab2a05a3
Instruction Fuzzy Hash: 8231B170914344AFEF338B649895BE7BBEC9B06304F00549ED29EA7242C7785A84CB51

Function 003486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,003485CC,?,003D8CC8,0000000C), ref: 00348704
GetLastError.KERNEL32(?,003485CC,?,003D8CC8,0000000C), ref: 0034870E
__dosmaperr.LIBCMT ref: 00348739

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: cbd3735c11fc0b36e6b789e04fa37eeafc77de3e152f623f2708d9d23e483344
Instruction ID: e0be4fd736fb36d68b44618592d6eb68f69a1bcd9febcfb4be2c2ce00a1bcff7
Opcode Fuzzy Hash: cbd3735c11fc0b36e6b789e04fa37eeafc77de3e152f623f2708d9d23e483344
Instruction Fuzzy Hash: 70012B37A0566027D6A767346885B7E6BCD4B82778F3B0219FA149F1D3DEA8BC818150

Function 0031DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0031DB7B
DispatchMessageW.USER32(?), ref: 0031DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0031DB9F
Sleep.KERNEL32(0000000A), ref: 0031DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00361CC9

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 8caed273cce8d7808af7e56188664abafa484eb34443cbff03f7a12323ad1e0f
Instruction ID: 753bb5248caaad57d5f05b144454b346cc03a50a8d4a6ecec1e8e100353244c7
Opcode Fuzzy Hash: 8caed273cce8d7808af7e56188664abafa484eb34443cbff03f7a12323ad1e0f
Instruction Fuzzy Hash: BAF05E316443849BE736CB608C89FEA73ACEB8A310F108618E65A870C0DB30A4888B25

Function 00321310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003217F6

Strings

CALL, xrefs: 003217C6

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 70237019948041d281bc727470232175ea1ea71504c553bc89388bfd5ec3816f
Instruction ID: 8b9992b043103d466b535b5ed8f9ba06046278c58ffb0af51b5621298ed9c0da
Opcode Fuzzy Hash: 70237019948041d281bc727470232175ea1ea71504c553bc89388bfd5ec3816f
Instruction Fuzzy Hash: E022BC706083519FC716DF14D581B2ABBF5BF9A344F25896DF8868B3A1D731E841CB82

Function 003201E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77167361f5c589bd3a42a1e27bf16771acf1cbe0e4b5e60b025b3a3f624cb14d
Instruction ID: 7a98fadc51091dbeeebab70013ec75e9b9da3a3be67e5722181c0ea44f8cbf2a
Opcode Fuzzy Hash: 77167361f5c589bd3a42a1e27bf16771acf1cbe0e4b5e60b025b3a3f624cb14d
Instruction Fuzzy Hash: 2A321330A00614DFCB2BDF54D885BAEB7B4BF05310F158879E916AB2A6D731ED84CB91

Function 0036D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0036D375

Strings

X64, xrefs: 0036D2A8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 11c40d82a2da05bf6ca8d79b62d91144d8221cb7732adc681debc4b8a057f6ab
Instruction ID: 502567bdfcfcfdf22ba31719213a72507d09c4c0d3393aeb695b5c3f6db0071f
Opcode Fuzzy Hash: 11c40d82a2da05bf6ca8d79b62d91144d8221cb7732adc681debc4b8a057f6ab
Instruction Fuzzy Hash: 0CD0C9B5815168EACB92CB80DC88DD9B3BCBB04301F508551F002A2844D77495489B10

Function 00313837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00313908

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9bdaf6e1d0844651fafe40f14624b98cff45c3929f217fa4e27dd8828cfa58c7
Instruction ID: fc4010cb79048f74e5cefe2fd19a2c167660e1c92a74b5107faa3ae4fec41006
Opcode Fuzzy Hash: 9bdaf6e1d0844651fafe40f14624b98cff45c3929f217fa4e27dd8828cfa58c7
Instruction Fuzzy Hash: FB3191745043019FD722DF24D8847D7BBE8FB4D708F00092EF99997290E771AA88CB52

Function 0032F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0032F661

Part of subcall function 0031D730: GetInputState.USER32 ref: 0031D807

Sleep.KERNEL32(00000000), ref: 0036F2DE

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 49137a70659322659284232ba2628fa429f52579489589c254e32b349f642a6b
Instruction ID: c8fe1c44dcf5f0ad7a9c14dd8466c48a503e78ef287230e36532188f2b60c560
Opcode Fuzzy Hash: 49137a70659322659284232ba2628fa429f52579489589c254e32b349f642a6b
Instruction Fuzzy Hash: 61F08C312402159FD315EF69E449BAAF7E9EF4A760F004029E859CB2A0EB70A840CF90

Function 00314ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00314E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00314EDD,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E9C
Part of subcall function 00314E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00314EAE
Part of subcall function 00314E90: FreeLibrary.KERNEL32(00000000,?,?,00314EDD,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314EFD

Part of subcall function 00314E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00353CDE,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E62
Part of subcall function 00314E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00314E74
Part of subcall function 00314E59: FreeLibrary.KERNEL32(00000000,?,?,00353CDE,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E87

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 3b74a88d7e21788352d87f9764f49a0f3051d197a150dd1a33e0de1352001571
Instruction ID: f2e6ff4a277f2bd29b90b653d39820cca007631bdc8c6837eb0528d69e1b713a
Opcode Fuzzy Hash: 3b74a88d7e21788352d87f9764f49a0f3051d197a150dd1a33e0de1352001571
Instruction Fuzzy Hash: 4A11E332610205ABDF1BBB60DC02FED77A5AF88B11F10842DF542AE2D1EE71DA85D760

Function 00348402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00348440

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 19bf10479ce688856d108e910c6070329f32567c34cc240a1ddf2307f33b403d
Instruction ID: 0f4831ef40ab1c2816c4a5b724a289655fc6cf67126509f084e9bf7e545dd9c2
Opcode Fuzzy Hash: 19bf10479ce688856d108e910c6070329f32567c34cc240a1ddf2307f33b403d
Instruction Fuzzy Hash: AC11487590410AAFCB06DF58E94099E7BF8EF48300F114059FC08AB312DB31EA11CBA4

Function 00345000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00344C7D: RtlAllocateHeap.NTDLL(00000008,00311129,00000000,?,00342E29,00000001,00000364,?,?,?,0033F2DE,00343863,003E1444,?,0032FDF5,?), ref: 00344CBE

_free.LIBCMT ref: 0034506C

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: dbcd664dd2cd4fc1c1aa497f46fa48587c7918ce5265f9178271c1cc5ade7514
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B70126766047056BE3228E659881A9AFBEDFB89370F65052DE1849B281EA30B805C6B4

Function 0033E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 8ba8d1e4b3a1bcb1ae19ddeac83ffbdb56b5f6f6e1b946e78bf64a3685a2b836
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 7EF02832510A14ABD7333A6A9C46B5B37DC9F52335F110729F8209F1D2CB74E80186A5

Function 00319CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00319CBD

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: adafec5abc8015c7044a09e001c359287384851bfa8f5e3c1cb68c0661a74ac0
Instruction ID: 696c4e0306a676b00a38ec06c2ce13d4d4ab1053585e4211e53e4bd11d79e015
Opcode Fuzzy Hash: adafec5abc8015c7044a09e001c359287384851bfa8f5e3c1cb68c0661a74ac0
Instruction Fuzzy Hash: 74F0C8B36006106ED7169F28DC06BA7BBA8EF48760F10853AF619CF1D1DB31E55087E0

Function 00344C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00311129,00000000,?,00342E29,00000001,00000364,?,?,?,0033F2DE,00343863,003E1444,?,0032FDF5,?), ref: 00344CBE

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c42ca4bef5fc55bbe1b4efe7d62a539e8c5662a2696fd5aa1f8f5d8cd930861
Instruction ID: 9209766b8b93b41e1ccfa03a8e7cd54a6d02cf36fa044bed1bbf2e9a053002cd
Opcode Fuzzy Hash: 0c42ca4bef5fc55bbe1b4efe7d62a539e8c5662a2696fd5aa1f8f5d8cd930861
Instruction Fuzzy Hash: 63F0543164622476DB235F62AC85B5A37CDAF41BA1F1E8135B815AE591CA70FC0147A0

Function 00343820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e9fe663483d1e4c162e644b99d6df387e3b11f72a5eb18df976ce23ad8f97aeb
Instruction ID: 351120eb20f3bd87ef577e083463a7c0d00f5b3da1e7958b51b8d4c765a8717a
Opcode Fuzzy Hash: e9fe663483d1e4c162e644b99d6df387e3b11f72a5eb18df976ce23ad8f97aeb
Instruction Fuzzy Hash: CAE0653550122496D63327679C05B9BB6CDAF427B0F160121BC559F991DB21FD0586E1

Function 00314F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314F6D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 894dd829cba8c03c74fd1b820e1ac57898aaffcdb37f613f5e58b481734535f8
Instruction ID: 6fb070b6e51330b425344711221fdc20b45e44b6b4343cb228f32b0dace8c034
Opcode Fuzzy Hash: 894dd829cba8c03c74fd1b820e1ac57898aaffcdb37f613f5e58b481734535f8
Instruction Fuzzy Hash: 22F03071105751CFDB3A9F64D490892B7E4EF19319315897EE1DA86611C7319885DF10

Function 003A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003A2A66

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 153207283115bba6a80ef522023b0c915de4eb67a402c20af8d6c590ddc4ef50
Instruction ID: 6976e323405d36989cefc212e063c0ed1464658da5638ac48a42157a63558a95
Opcode Fuzzy Hash: 153207283115bba6a80ef522023b0c915de4eb67a402c20af8d6c590ddc4ef50
Instruction Fuzzy Hash: A8E04F36350116AEC766EA34DC809FB735CEB52395B10453AAC2AD6110DF34999596A0

Function 003130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0031314E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: eb38dd7b449a58a43a526b1d25c486dd15b9ac6f2f8fade6c058b8812f690bb7
Instruction ID: bc2bde73f6dd8b92eb9f92d372f0b01a9facff0b99a0575b614a872b47235f73
Opcode Fuzzy Hash: eb38dd7b449a58a43a526b1d25c486dd15b9ac6f2f8fade6c058b8812f690bb7
Instruction Fuzzy Hash: 48F037749143589FE763DB24DC857D67BBCAB05708F0001E5A5489A2D1D77457C8CF51

Function 00312DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00312DC4

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ebe6831eaddd0f1e18c0399d6363dabba11e7322870fcb10f69988ffc1b4dcfe
Instruction ID: 34deaf7a8725202208110cec9d2276bea6ff668bb166ffa5daa84eb9b5a7c6e9
Opcode Fuzzy Hash: ebe6831eaddd0f1e18c0399d6363dabba11e7322870fcb10f69988ffc1b4dcfe
Instruction Fuzzy Hash: DBE0C272A042245BCB22A298DC06FEA77EDDFC8790F0541B1FD09EB258DA60AD848690

Function 00312B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00313837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00313908

Part of subcall function 0031D730: GetInputState.USER32 ref: 0031D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00312B6B

Part of subcall function 003130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0031314E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 1698cf2aeaf93dd21cc75199e90d29a24f71f52e6ce57c649c17f4f7211cb53d
Instruction ID: 21286ab4aa687397e041a3e84b6ce3d56f3ecb82b189c39b594a993a9284f137
Opcode Fuzzy Hash: 1698cf2aeaf93dd21cc75199e90d29a24f71f52e6ce57c649c17f4f7211cb53d
Instruction Fuzzy Hash: F7E0863130425407CA0FBB75A8525EDA7AD9BDE351F40153EF1464F2E2CE6489C94752

Function 0037DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0037DF40

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 4cdee10a300421a0f620c5a609a664ceabaab2093a851ec40534e05844891423
Instruction ID: ff710ca0259302777954cbc310918ded8ed5d42ecbf649dc70f1f91374fabbd9
Opcode Fuzzy Hash: 4cdee10a300421a0f620c5a609a664ceabaab2093a851ec40534e05844891423
Instruction Fuzzy Hash: AFD05EA2A002282BDF64A6759C0EDF73AACC744210F0006A0786DD3152E920DD8486B0

Function 0035039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00350704,?,?,00000000,?,00350704,00000000,0000000C), ref: 003503B7

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 74e0d8a72b5e9a70dbcaa5258524fca9043de3f941a05803678c0bc1d80de76a
Instruction ID: d88ef2e995bba25b395e069165189c521f75d1af93b218291925251cd9e6223f
Opcode Fuzzy Hash: 74e0d8a72b5e9a70dbcaa5258524fca9043de3f941a05803678c0bc1d80de76a
Instruction Fuzzy Hash: A0D06C3215010DBBDF028F84DD06EDA3BAAFB48714F014100BE1856020C736E821AB90

Function 00311CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00311CBC

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ebced630b5887844a135a7d9014c2bbe55e82fc83199d4d4f5669c7ac11b2abd
Instruction ID: 64dd5097b981e8736f40d9e888522ab66b0e798b12ff1be4fefa36a3e6fe36f9
Opcode Fuzzy Hash: ebced630b5887844a135a7d9014c2bbe55e82fc83199d4d4f5669c7ac11b2abd
Instruction Fuzzy Hash: 6BC09B352803449FF6274781BD8AF11775CA349B00F444101F6095D5E3C7B11810D750

Non-executed Functions

Function 003A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 003A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003A96C9
SendMessageW.USER32 ref: 003A96F2
GetKeyState.USER32(00000011), ref: 003A978B
GetKeyState.USER32(00000009), ref: 003A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003A97AE
GetKeyState.USER32(00000010), ref: 003A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003A97E9
SendMessageW.USER32 ref: 003A9810
SendMessageW.USER32(?,00001030,?,003A7E95), ref: 003A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003A9941
SetCapture.USER32(?), ref: 003A994A
ClientToScreen.USER32(?,?), ref: 003A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003A99D6
ReleaseCapture.USER32 ref: 003A99E1
GetCursorPos.USER32(?), ref: 003A9A19
ScreenToClient.USER32(?,?), ref: 003A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 003A9A80
SendMessageW.USER32 ref: 003A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 003A9AEB
SendMessageW.USER32 ref: 003A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 003A9B4A
GetCursorPos.USER32(?), ref: 003A9B68
ScreenToClient.USER32(?,?), ref: 003A9B75
GetParent.USER32(?), ref: 003A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 003A9BFA
SendMessageW.USER32 ref: 003A9C2B
ClientToScreen.USER32(?,?), ref: 003A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 003A9CDE
SendMessageW.USER32 ref: 003A9D01
ClientToScreen.USER32(?,?), ref: 003A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003A9D82

Part of subcall function 00329944: GetWindowLongW.USER32(?,000000EB), ref: 00329952

GetWindowLongW.USER32(?,000000F0), ref: 003A9E05

Strings

@GUI_DRAGID, xrefs: 003A997D
p#>, xrefs: 003A9990
F, xrefs: 003A9D07

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#>
API String ID: 3429851547-711497766
Opcode ID: 90f43d88a3f49dcbc4d457b1d5afcc44ae4213ceb6464aaee0dfc53ce33d0ad4
Instruction ID: b2f139c91623a58083fd96ac3d675a78990d6f444c8f27d4a69d706557db2287
Opcode Fuzzy Hash: 90f43d88a3f49dcbc4d457b1d5afcc44ae4213ceb6464aaee0dfc53ce33d0ad4
Instruction Fuzzy Hash: 7C425F34604241AFD726CF24CC84FAABBE9FF4A324F15461AF595AB2B1D731D850CB91

Function 003A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 003A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 003A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 003A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 003A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 003A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 003A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003A4A7E
IsMenu.USER32(?), ref: 003A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A4B20
GetWindowLongW.USER32(?,000000F0), ref: 003A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 003A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 003A4C82
wsprintfW.USER32 ref: 003A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 003A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 003A4D5A

Strings

%d/%02d/%02d, xrefs: 003A4CA8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 07020f0fa5e5516318c6eeaa25725658069df9e7ad09ba8764d7e916fd1e674f
Instruction ID: 77a5f43af5411ed0a89e5621926645f0faab49aadeebaa622649c351c1a6f5ea
Opcode Fuzzy Hash: 07020f0fa5e5516318c6eeaa25725658069df9e7ad09ba8764d7e916fd1e674f
Instruction Fuzzy Hash: 8712E171600254AFEB268F24DC49FAEBBF8EF86710F144129F516EB2E1DBB49941CB50

Function 0032F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0032F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0036F474
IsIconic.USER32(00000000), ref: 0036F47D
ShowWindow.USER32(00000000,00000009), ref: 0036F48A
SetForegroundWindow.USER32(00000000), ref: 0036F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0036F4AA
GetCurrentThreadId.KERNEL32 ref: 0036F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0036F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0036F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0036F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0036F4DE
SetForegroundWindow.USER32(00000000), ref: 0036F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036F4F6
keybd_event.USER32(00000012,00000000), ref: 0036F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036F50B
keybd_event.USER32(00000012,00000000), ref: 0036F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036F519
keybd_event.USER32(00000012,00000000), ref: 0036F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036F528
keybd_event.USER32(00000012,00000000), ref: 0036F52D
SetForegroundWindow.USER32(00000000), ref: 0036F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0036F557

Strings

Shell_TrayWnd, xrefs: 0036F46F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c4c7e8856dc1954740b3a1471ab06b56d94b062991301d7e961ac8bd3a29842a
Instruction ID: 7773cd368e494e0b29824ac02857aeb009f67a2112360ed932035b92fba3b026
Opcode Fuzzy Hash: c4c7e8856dc1954740b3a1471ab06b56d94b062991301d7e961ac8bd3a29842a
Instruction Fuzzy Hash: E131A471A50218BFEB226BB65C4AFBF7E6CEB46B50F115025FA01E61D1CBB15D00AA60

Function 00371201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037170D
Part of subcall function 003716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037173A
Part of subcall function 003716C3: GetLastError.KERNEL32 ref: 0037174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00371286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003712A8
CloseHandle.KERNEL32(?), ref: 003712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003712D1
GetProcessWindowStation.USER32 ref: 003712EA
SetProcessWindowStation.USER32(00000000), ref: 003712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00371310

Part of subcall function 003710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003711FC), ref: 003710D4
Part of subcall function 003710BF: CloseHandle.KERNEL32(?,?,003711FC), ref: 003710E9

Strings

, xrefs: 0037125A
default, xrefs: 0037130B
winsta0, xrefs: 003712CC
Z=, xrefs: 00371392

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z=
API String ID: 22674027-2879544205
Opcode ID: c9d07f68f5e46f524337be038e7c66f39e53cdeb89f56d6934c5db3e6bd38ab8
Instruction ID: 4a5a86244ede5187278bff28c9194f8fd98a7d588125e809557bd0b9fc9d04b3
Opcode Fuzzy Hash: c9d07f68f5e46f524337be038e7c66f39e53cdeb89f56d6934c5db3e6bd38ab8
Instruction Fuzzy Hash: FC81A172900209AFDF22DFA9DC49FEE7BBDEF05704F148129F914A61A0D7798944DB60

Function 00370B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00371114
Part of subcall function 003710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371120
Part of subcall function 003710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 0037112F
Part of subcall function 003710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371136
Part of subcall function 003710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0037114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00370BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00370C00
GetLengthSid.ADVAPI32(?), ref: 00370C17
GetAce.ADVAPI32(?,00000000,?), ref: 00370C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00370C6D
GetLengthSid.ADVAPI32(?), ref: 00370C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00370C8C
HeapAlloc.KERNEL32(00000000), ref: 00370C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00370CB4
CopySid.ADVAPI32(00000000), ref: 00370CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00370CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00370D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00370D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370D45
HeapFree.KERNEL32(00000000), ref: 00370D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370D55
HeapFree.KERNEL32(00000000), ref: 00370D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370D65
HeapFree.KERNEL32(00000000), ref: 00370D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00370D78
HeapFree.KERNEL32(00000000), ref: 00370D7F

Part of subcall function 00371193: GetProcessHeap.KERNEL32(00000008,00370BB1,?,00000000,?,00370BB1,?), ref: 003711A1
Part of subcall function 00371193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00370BB1,?), ref: 003711A8
Part of subcall function 00371193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00370BB1,?), ref: 003711B7

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5ce94c9cb30c1197b271ae789eb1d0f075c6f14ed34f9856ba96cb655c808109
Instruction ID: 9e1ddb5f67ecb6cc29c7023da34a81a7f85ba288f3ba578535274e076a1a96bc
Opcode Fuzzy Hash: 5ce94c9cb30c1197b271ae789eb1d0f075c6f14ed34f9856ba96cb655c808109
Instruction Fuzzy Hash: 8D715C72A0020AEBDF26DFA4DC44BAEBBBCBF09310F058515E919A6291D775A905CB60

Function 0038EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(003ACC08), ref: 0038EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0038EB37
GetClipboardData.USER32(0000000D), ref: 0038EB43
CloseClipboard.USER32 ref: 0038EB4F
GlobalLock.KERNEL32(00000000), ref: 0038EB87
CloseClipboard.USER32 ref: 0038EB91
GlobalUnlock.KERNEL32(00000000), ref: 0038EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0038EBC9
GetClipboardData.USER32(00000001), ref: 0038EBD1
GlobalLock.KERNEL32(00000000), ref: 0038EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0038EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0038EC38
GetClipboardData.USER32(0000000F), ref: 0038EC44
GlobalLock.KERNEL32(00000000), ref: 0038EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0038EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0038EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0038ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0038ECF3
CountClipboardFormats.USER32 ref: 0038ED14
CloseClipboard.USER32 ref: 0038ED59

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 939e619f5e7bf3e4b29c2bffd4dba7232fb4308ba8bb10e5c5be6b8c11eee56a
Instruction ID: 7a5e4452dd4023603d72609e8587581f2a2000de802a45aa5f968b4489f08b75
Opcode Fuzzy Hash: 939e619f5e7bf3e4b29c2bffd4dba7232fb4308ba8bb10e5c5be6b8c11eee56a
Instruction Fuzzy Hash: 4761F1352083019FD307EF20C895F6ABBE8AF89714F08559DF4569B2A2DB30DD49CB62

Function 0038698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003869BE
FindClose.KERNEL32(00000000), ref: 00386A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00386A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00386A75

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00386AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00386ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00386B6A
%03d, xrefs: 00386DA2
%02d, xrefs: 00386C00, 00386C0A, 00386C5A, 00386CAA, 00386CFA, 00386D4A
%4d, xrefs: 00386BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00386B32

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f689255f8ab74c4ee6b6df20d9bc8ae55b07e074564ff4b3b901b30ca68b5aae
Instruction ID: e08464277b825427d6258829dd51d40c8cb62f3f1f5430e30e1aca07d38c85b5
Opcode Fuzzy Hash: f689255f8ab74c4ee6b6df20d9bc8ae55b07e074564ff4b3b901b30ca68b5aae
Instruction Fuzzy Hash: 1ED15272508300AFC715EBA4D896EABB7FCAF88704F04495EF585CB191EB74DA44CB62

Function 00389642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00389663
GetFileAttributesW.KERNEL32(?), ref: 003896A1
SetFileAttributesW.KERNEL32(?,?), ref: 003896BB
FindNextFileW.KERNEL32(00000000,?), ref: 003896D3
FindClose.KERNEL32(00000000), ref: 003896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0038974A
SetCurrentDirectoryW.KERNEL32(003D6B7C), ref: 00389768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00389772
FindClose.KERNEL32(00000000), ref: 0038977F
FindClose.KERNEL32(00000000), ref: 0038978F

Strings

*.*, xrefs: 003896F5

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 50780127bd7e6b49cc39d17c7d423c494a21eba4d46e5337d9cd74bdddffa065
Instruction ID: 87c82c4a207df1e88a701fed5e8fa70433bf6bc3639e32520e41211e9db6737b
Opcode Fuzzy Hash: 50780127bd7e6b49cc39d17c7d423c494a21eba4d46e5337d9cd74bdddffa065
Instruction Fuzzy Hash: 9531C0325003196ADF12AFB4EC49BEE77ACAF4A320F184597F815E21A0EB34DE408B54

Function 0038979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00389819
FindClose.KERNEL32(00000000), ref: 00389824
FindFirstFileW.KERNEL32(*.*,?), ref: 00389840
SetCurrentDirectoryW.KERNEL32(?), ref: 00389890
SetCurrentDirectoryW.KERNEL32(003D6B7C), ref: 003898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003898B8
FindClose.KERNEL32(00000000), ref: 003898C5
FindClose.KERNEL32(00000000), ref: 003898D5

Part of subcall function 0037DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0037DB00

Strings

*.*, xrefs: 0038983B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: e314cb20d225eeaf8f78cd2b3e2f50654003aad5d63f44458aeb5d35751ecb6a
Instruction ID: 085cd9e5716d40fbe56ef742a8a1fcc2e7abbe9a5f5e81ee9220929dafb60fd5
Opcode Fuzzy Hash: e314cb20d225eeaf8f78cd2b3e2f50654003aad5d63f44458aeb5d35751ecb6a
Instruction Fuzzy Hash: B331A33250071A6EDF12AFB4EC49BEE77AC9F06324F194597E814E6190DB30DE458B60

Function 0037D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00313AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00313A97,?,?,00312E7F,?,?,?,00000000), ref: 00313AC2

Part of subcall function 0037E199: GetFileAttributesW.KERNEL32(?,0037CF95), ref: 0037E19A

FindFirstFileW.KERNEL32(?,?), ref: 0037D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0037D1DD
MoveFileW.KERNEL32(?,?), ref: 0037D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0037D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0037D237

Part of subcall function 0037D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0037D21C,?,?), ref: 0037D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0037D253
FindClose.KERNEL32(00000000), ref: 0037D264

Strings

\*.*, xrefs: 0037D0CD, 0037D0D6, 0037D0EB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 64616dc87b35f8e2ba9e61545eb164b3856979051372d14c750eb5b25ef7db1e
Instruction ID: 635cb0ab5e2987c76e584acad157e7ce099a06c3b0004ed0f379d8527b0404d7
Opcode Fuzzy Hash: 64616dc87b35f8e2ba9e61545eb164b3856979051372d14c750eb5b25ef7db1e
Instruction Fuzzy Hash: E961823180110D9FCF1BEBE0C952AEDB779AF19300F6485A5E4067B192EB356F49DB60

Function 0038ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0038ED91
EmptyClipboard.USER32 ref: 0038ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0038EDAC
CloseClipboard.USER32 ref: 0038EEA3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5c420170d223c6da90e24c05f6312a1971d933c8d480a50a6841f81c335458d7
Instruction ID: 7debba87e1cd8ecfc2b171c84466e8facd3340a61ac826fb49a9ab9f02260459
Opcode Fuzzy Hash: 5c420170d223c6da90e24c05f6312a1971d933c8d480a50a6841f81c335458d7
Instruction Fuzzy Hash: 7641BE35204611AFE722EF15D888F59BBE9EF49318F19D099E4158F6A2C735FC42CB90

Function 0037E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037170D
Part of subcall function 003716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037173A
Part of subcall function 003716C3: GetLastError.KERNEL32 ref: 0037174A

ExitWindowsEx.USER32(?,00000000), ref: 0037E932

Strings

, xrefs: 0037E95C
SeShutdownPrivilege, xrefs: 0037E902
@, xrefs: 0037E925
, xrefs: 0037E920

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: fc57b29da5cbf299f00f1a756bc0682957cbfaf830e72df21de848b643883232
Instruction ID: e63393e1b2158caf95cf2a37e98ced056f1db6ba5baf60ccc1c05b0d7d3cdd10
Opcode Fuzzy Hash: fc57b29da5cbf299f00f1a756bc0682957cbfaf830e72df21de848b643883232
Instruction Fuzzy Hash: B0014E73620210AFEB7626749C86FBF725C970E740F158462FE17E21D1D76C5C408290

Function 00391204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00391276
WSAGetLastError.WSOCK32 ref: 00391283
bind.WSOCK32(00000000,?,00000010), ref: 003912BA
WSAGetLastError.WSOCK32 ref: 003912C5
closesocket.WSOCK32(00000000), ref: 003912F4
listen.WSOCK32(00000000,00000005), ref: 00391303
WSAGetLastError.WSOCK32 ref: 0039130D
closesocket.WSOCK32(00000000), ref: 0039133C

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9e1ff5f8299a6bf50046e4d3a5bfe471079e34958d199ac05ff5d0db87a312da
Instruction ID: ede641f6c9d65743da03cba4c44390e9a63745e38bb6dd62c677875677605df1
Opcode Fuzzy Hash: 9e1ff5f8299a6bf50046e4d3a5bfe471079e34958d199ac05ff5d0db87a312da
Instruction Fuzzy Hash: AA4193356001019FDB15EF24C488B69BBFABF46318F198588D8569F2D6C775EC81CBE1

Function 0034B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0034B9D4
_free.LIBCMT ref: 0034B9F8
_free.LIBCMT ref: 0034BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003B3700), ref: 0034BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,003E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0034BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,003E1270,000000FF,?,0000003F,00000000,?), ref: 0034BC36
_free.LIBCMT ref: 0034BD4B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: eec2dcfa3727bf810f7b37aa26bc1b9a5a1dcc6738cd3b72babe467cb5215861
Instruction ID: 9f676618af9cf2b33786dc821e17f942bb994f6c7c15ad23fd019fa4a6eb47be
Opcode Fuzzy Hash: eec2dcfa3727bf810f7b37aa26bc1b9a5a1dcc6738cd3b72babe467cb5215861
Instruction Fuzzy Hash: 2FC12571A04245AFCB239F698C81BAAFBFCEF42310F15469AE591DF291E730EE418750

Function 0037D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00313AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00313A97,?,?,00312E7F,?,?,?,00000000), ref: 00313AC2

Part of subcall function 0037E199: GetFileAttributesW.KERNEL32(?,0037CF95), ref: 0037E19A

FindFirstFileW.KERNEL32(?,?), ref: 0037D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0037D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0037D481
FindClose.KERNEL32(00000000), ref: 0037D498
FindClose.KERNEL32(00000000), ref: 0037D4A1

Strings

\*.*, xrefs: 0037D3F2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 40d372d0d343642a2a6ffc8c29f27feb4ab425992fcd2eb1ad57a366b9c5794b
Instruction ID: 298ee232e3c8915154305bf5d3444595fccfa6ad5707e42e359ec080492ea87b
Opcode Fuzzy Hash: 40d372d0d343642a2a6ffc8c29f27feb4ab425992fcd2eb1ad57a366b9c5794b
Instruction Fuzzy Hash: 1231B0710083449BC316EF60C8929EFB7E8AE9A310F408E1EF4D557191EF34AA49C763

Function 0034E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0034E645

Strings

1#IND, xrefs: 0034F83D
1#INF, xrefs: 0034F852
1#SNAN, xrefs: 0034F844
1#QNAN, xrefs: 0034F84B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: dbaeb032bb89eebc43405a3a1bad74af848eba9cec4ef30b87339144a37e50a0
Instruction ID: dc5e6ad130cf4b0066f0efb613646219d133c394feee0ac3b98b56cd934963a5
Opcode Fuzzy Hash: dbaeb032bb89eebc43405a3a1bad74af848eba9cec4ef30b87339144a37e50a0
Instruction Fuzzy Hash: B6C22B71E046288FDB66CE289D407EAB7F9FB45305F1941EAD44DEB240E778AE818F40

Function 0038648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003864DC
CoInitialize.OLE32(00000000), ref: 00386639
CoCreateInstance.OLE32(003AFCF8,00000000,00000001,003AFB68,?), ref: 00386650
CoUninitialize.OLE32 ref: 003868D4

Strings

.lnk, xrefs: 003864BA, 00386524, 003865E0

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: fdb02c82910de3247f84a65d1f4c0692c075389b50bfd1a4bcce09a60fd3c08f
Instruction ID: c6aaef12fbd3c811610540f8c8f7ddf1605b1613f030754ce5aa5810942b5940
Opcode Fuzzy Hash: fdb02c82910de3247f84a65d1f4c0692c075389b50bfd1a4bcce09a60fd3c08f
Instruction Fuzzy Hash: 35D14A715083019FC306EF24C892AABB7E8FF99704F04496DF5958B291EB70ED45CB92

Function 003922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003922E8

Part of subcall function 0038E4EC: GetWindowRect.USER32(?,?), ref: 0038E504

GetDesktopWindow.USER32 ref: 00392312
GetWindowRect.USER32(00000000), ref: 00392319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00392355
GetCursorPos.USER32(?), ref: 00392381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003923DF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 78a22804d8cfd1311b7035f4b89d493c695541170fb7c45e6613ecdbdb3f985d
Instruction ID: 760323b798b97d996147f75a7510e3ee650bc4d889437708307d7367031fd0c8
Opcode Fuzzy Hash: 78a22804d8cfd1311b7035f4b89d493c695541170fb7c45e6613ecdbdb3f985d
Instruction Fuzzy Hash: 3A31E272504715AFCB22DF15C849B5BB7ADFF89310F00091DF98997191DB34E908CB92

Function 00389B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00389B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00389C8B

Part of subcall function 00383874: GetInputState.USER32 ref: 003838CB
Part of subcall function 00383874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00383966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00389BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00389C75

Strings

*.*, xrefs: 00389B5D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0a71b61130859966e6da26bd7410145859ebae97356b7334729fa96f56176d82
Instruction ID: bd10c113e194e465101a0fa56bd8c22a263949dd9873df7e23e1bc4c1cbba217
Opcode Fuzzy Hash: 0a71b61130859966e6da26bd7410145859ebae97356b7334729fa96f56176d82
Instruction Fuzzy Hash: 3441517190420AAFCF16EFA4C985BEE7BB8EF49310F144597E815A7191EB319E84CF60

Function 0032997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00329A4E
GetSysColor.USER32(0000000F), ref: 00329B23
SetBkColor.GDI32(?,00000000), ref: 00329B36

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c2a0b1a61c4d0ef213cf89bd9adaeaad1cfe6ca0d4d75d438afe9ce10f9a62ca
Instruction ID: d6486117256ad88a564875b28c035bd489c82d679d75f60183f01834a6caa332
Opcode Fuzzy Hash: c2a0b1a61c4d0ef213cf89bd9adaeaad1cfe6ca0d4d75d438afe9ce10f9a62ca
Instruction Fuzzy Hash: A8A13B70208664AEE7379A3CAC98F7B369DDF43344F16820BF102DA9D5CA259D41D271

Function 00391806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0039304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0039307A
Part of subcall function 0039304E: _wcslen.LIBCMT ref: 0039309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0039185D
WSAGetLastError.WSOCK32 ref: 00391884
bind.WSOCK32(00000000,?,00000010), ref: 003918DB
WSAGetLastError.WSOCK32 ref: 003918E6
closesocket.WSOCK32(00000000), ref: 00391915

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 35b0996fe761cd8c0cdb87e8015e8166bd082ac465c7cb4c786ee1ce9ec66616
Instruction ID: b9005b1515eadb7a85b255b836596bca7abdcc5e083447f42561f215f05e6023
Opcode Fuzzy Hash: 35b0996fe761cd8c0cdb87e8015e8166bd082ac465c7cb4c786ee1ce9ec66616
Instruction Fuzzy Hash: 6151C471A002109FEB16AF24C886F6A77E9AB49718F088458F9156F3D3C771AD418BA1

Function 003A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 003A1CC0
IsWindowEnabled.USER32 ref: 003A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 003A1CDB
IsIconic.USER32 ref: 003A1CE9
IsZoomed.USER32 ref: 003A1CF7

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d04be8f4f0385453f08bde1d585b2bc66f67a1a6a27c1177846e4e7caa36d456
Instruction ID: d31874e08eb2d06df81cf39e533acdfc76fec6f9afa0dd6117d4c2fda2a25f37
Opcode Fuzzy Hash: d04be8f4f0385453f08bde1d585b2bc66f67a1a6a27c1177846e4e7caa36d456
Instruction Fuzzy Hash: E121B5317402105FD7228F2AC844B6A7BE9EF9B724F199068E846CB352CB71DC42CB94

Function 00318060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 003183FA
ERCP, xrefs: 0031813C
VUUU, xrefs: 003183E8
VUUU, xrefs: 00355DF0
VUUU, xrefs: 0031843C

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: c62f8deb542eb35a2bac6811dae7e08d0c829e6e7b7f9cd4c9542ae1bd9fee46
Instruction ID: b0cd4d3f5291873177a6e1ae00bf094fc503e28c9bab31e497dbfed5b399bfdf
Opcode Fuzzy Hash: c62f8deb542eb35a2bac6811dae7e08d0c829e6e7b7f9cd4c9542ae1bd9fee46
Instruction Fuzzy Hash: 94A29E70A0061ACBDF2ACF58C851BEDB7B1BF58311F2585A9EC15AB290DB309DC5CB94

Function 00378298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003782AA

Strings

|, xrefs: 003782DA
(, xrefs: 003782F0
tb=, xrefs: 003784F4

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb=$|
API String ID: 1659193697-3835051088
Opcode ID: 5c6e95d33959a7f48637276f2fc1488f2e555631be4ea1f88ec28a899d6edc92
Instruction ID: 3cdbf00aa9a40e5a00acc1c25859f4bcf2720f7449894fc2bdf6ef38d1cf3cfa
Opcode Fuzzy Hash: 5c6e95d33959a7f48637276f2fc1488f2e555631be4ea1f88ec28a899d6edc92
Instruction Fuzzy Hash: C4324478A00605DFDB29CF29C085A6AB7F0FF48710B15C46EE49ADB7A1EB74E941CB40

Function 0037AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0037AAAC
SetKeyboardState.USER32(00000080), ref: 0037AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0037AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0037AB88

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: eb16b7fa4b00580cc424e5edac290422529387e58820bd8d173f3fea354ccf7e
Instruction ID: e240ca0d5d82e841a84869334d5aad9fdfdba221d5e7fdd94951224fd2c0899a
Opcode Fuzzy Hash: eb16b7fa4b00580cc424e5edac290422529387e58820bd8d173f3fea354ccf7e
Instruction Fuzzy Hash: 34310930A40A08AEFF37CA64CC05BFE77AAABC9310F04C21AF189565D1D37C9985D792

Function 0038CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0038CE89
GetLastError.KERNEL32(?,00000000), ref: 0038CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0038CEFE

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 913fb5d8bc07a5aed6029df66306d97a81f93082641f0f9846577117c0766637
Instruction ID: 31c5773868c554387a15b4031c2cacbeef79271610ca2af1324bee3db81a4f9f
Opcode Fuzzy Hash: 913fb5d8bc07a5aed6029df66306d97a81f93082641f0f9846577117c0766637
Instruction Fuzzy Hash: E021BAB1510305ABEB32EFA5D988BA6B7FCEB40315F10985EE64692151EB74EE048B60

Function 00385C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00385CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00385D17
FindClose.KERNEL32(?), ref: 00385D5F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 626fd51578e6bd2f6d407ee26c03a7e3c8aac00a1f3963c88e4c34b3fe23751e
Instruction ID: bce880b67c43b8c50500afa3c073558fac1093e8a75179cfe2a65963eaa122f0
Opcode Fuzzy Hash: 626fd51578e6bd2f6d407ee26c03a7e3c8aac00a1f3963c88e4c34b3fe23751e
Instruction Fuzzy Hash: 65519A34604B019FC71AEF28C494A96B7E4FF49314F14859EE95A8B3A1CB30ED49CF91

Function 00342622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0034271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00342724
UnhandledExceptionFilter.KERNEL32(?), ref: 00342731

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6eb0f001208362f5b66ad949558c644705e1fdbea393bb7e08431fb80259b31d
Instruction ID: 347d5beac9ce9d8981687b416caba7965ad43f09a40891aacb2ca3dac60e9cdb
Opcode Fuzzy Hash: 6eb0f001208362f5b66ad949558c644705e1fdbea393bb7e08431fb80259b31d
Instruction Fuzzy Hash: 9331B47491121C9BCB22DF64DD897D9BBB8AF08310F5041EAE41CAA261E7749F858F45

Function 003851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00385238
SetErrorMode.KERNEL32(00000000), ref: 003852A1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f28b75b277d4f1fca3baf7910b6993ab681d4368bb06d9b069662b9375d07088
Instruction ID: 9bb0891a8e18ad133661013317e0e8e6206edeb74a4b6af1030ec9b024b88524
Opcode Fuzzy Hash: f28b75b277d4f1fca3baf7910b6993ab681d4368bb06d9b069662b9375d07088
Instruction Fuzzy Hash: C7314C75A10618DFDB01EF54D884EADBBB4FF49314F098499E805AF362DB31E856CB90

Function 003716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0032FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00330668
Part of subcall function 0032FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00330685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037173A
GetLastError.KERNEL32 ref: 0037174A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 752ab382c957d096e42ea632c14231b431daed8b6e6a20522cd41f23197ef9ae
Instruction ID: bc94ddb81549bd4a1f370705383ad3fcf633e2a0243bd459b27e5f11c9909c16
Opcode Fuzzy Hash: 752ab382c957d096e42ea632c14231b431daed8b6e6a20522cd41f23197ef9ae
Instruction Fuzzy Hash: 8C119EB2414304AFD729AF58EC86D6ABBBDFF44714B20C52EE45A57241EB74FC41CA20

Function 0037D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0037D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0037D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0037D650

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 631ca2579b420ad53887d2996c14db9ef1d8ec6757e363c479119ecfa4a95ee4
Instruction ID: 3e1abc95d133ceb48d08ccd2a2e319183afb7e815fdc08a201a7190f0de1e1c0
Opcode Fuzzy Hash: 631ca2579b420ad53887d2996c14db9ef1d8ec6757e363c479119ecfa4a95ee4
Instruction Fuzzy Hash: 2B116175E05228BFDB218F95DC45FAFBFBCEB45B50F108115F908E7290D6744A058BA1

Function 00371663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0037168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003716A1
FreeSid.ADVAPI32(?), ref: 003716B1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: eee708e877e78f275be8a664155168e1de8e2feff34974cae95fe6bbc1ce0839
Instruction ID: 14617c2f5ca9ce7a4e42ee8e90bf28f197a8b419151a477b18a7daadd54e37d4
Opcode Fuzzy Hash: eee708e877e78f275be8a664155168e1de8e2feff34974cae95fe6bbc1ce0839
Instruction Fuzzy Hash: 26F0F47195030DFBDB01DFE49C89AAEBBBCEB08704F508565E901E2181E774EA448A50

Function 0034C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0034C36C

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 4cd46c81ccfffbb952217eb1782b17eaf7a109135c6447b76511c8042834a270
Instruction ID: 96fea86ddefa856cef9dc74acff9ff5189b36bd58ab00665efacda4944349d13
Opcode Fuzzy Hash: 4cd46c81ccfffbb952217eb1782b17eaf7a109135c6447b76511c8042834a270
Instruction Fuzzy Hash: 56414776901219AFCB219FB9CC88EBB77F8EB84314F104669F905DF180E670AD80CB50

Function 0033CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c38875347cbba91ff2f384e3831d3d92af91f7e9c158a12ede847d3f65b13a93
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 6C022C72E102199BDF15CFA9C8806ADFBF1EF48314F259169E819FB384D731AE418B80

Function 0031CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#>, xrefs: 0031CF7F
Variable is not of type 'Object'., xrefs: 00360C40

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#>
API String ID: 0-2427628166
Opcode ID: 10fc2d93211178007a789b840f2d60343eb9459985bf8af5b8d621e399188d79
Instruction ID: 834a57b83e65f2f795296358f27f5e19906f1f7651d1aac15a2f5b8ec52d5660
Opcode Fuzzy Hash: 10fc2d93211178007a789b840f2d60343eb9459985bf8af5b8d621e399188d79
Instruction Fuzzy Hash: 3A32AE30950218DBCF1EDF90D881AEEB7B9FF08304F159059E806AF296D775AD86CB60

Function 003868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00386918
FindClose.KERNEL32(00000000), ref: 00386961

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 689ec53430e18fffb7364202750fbb7e00ff610d2448be89ab91b860c5aed3a7
Instruction ID: 3e557f78219c0ee338fb755ce78bcfff1790167cfaea989d4097333be57c7f62
Opcode Fuzzy Hash: 689ec53430e18fffb7364202750fbb7e00ff610d2448be89ab91b860c5aed3a7
Instruction Fuzzy Hash: 7C11BF316142009FC715DF29D889A16BBE5FF89328F15C6A9F4698F7A2CB30EC45CB91

Function 003837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00394891,?,?,00000035,?), ref: 003837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00394891,?,?,00000035,?), ref: 003837F4

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2d90c14b5a1103322eb1cadebb721b7ba1e71687b832eaf70a6d12d996bec381
Instruction ID: a0c5731f51c105c7f213d9930c0273bc8da5a0da677602e3d236f75f752254bf
Opcode Fuzzy Hash: 2d90c14b5a1103322eb1cadebb721b7ba1e71687b832eaf70a6d12d996bec381
Instruction Fuzzy Hash: 79F0E5B06053282AEB2227668C4DFEB3AAEEFC5B61F000275F509D2291D9609944C7B0

Function 0037B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0037B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0037B270

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: cab751c3ed3cbd7c6e0d693aeaf4d78c2a7381a4d46193065f874015815adef8
Instruction ID: c0dae9d8dba79a164e3e34d3ea7c9e7e5ef9b9a6f7441357cfb0a25d54dfd7af
Opcode Fuzzy Hash: cab751c3ed3cbd7c6e0d693aeaf4d78c2a7381a4d46193065f874015815adef8
Instruction Fuzzy Hash: 6CF01D7181424DABDB169FA1C805BBEBBB4FF05309F009409F955A5192C37986119F94

Function 003710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003711FC), ref: 003710D4
CloseHandle.KERNEL32(?,?,003711FC), ref: 003710E9

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5b0c075ec5f66d85484d33db04aec94d886067989aa86612ddbc4f0254e6a9f6
Instruction ID: 5ba9c76b92c94db1f1d8e97547e9eafc339a1e8f41f5629ea497713109442ae5
Opcode Fuzzy Hash: 5b0c075ec5f66d85484d33db04aec94d886067989aa86612ddbc4f0254e6a9f6
Instruction Fuzzy Hash: 9AE04F32014610AEE7272B11FC05E7377ADEF04310F10882DF4A6844B1DB62AC90DB10

Function 0035E781 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

5, xrefs: 0035E8DE
5, xrefs: 0035E8D2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: 5$5
API String ID: 0-2059066348
Opcode ID: b45bc9b2fbb9b47a8868bd7276c8615e82fda90d44d783b27225ebcd57237363
Instruction ID: 79ae7450390ea2efe39d483ce5fbfdf0efd1bac8ae85dcdc0230442d90315077
Opcode Fuzzy Hash: b45bc9b2fbb9b47a8868bd7276c8615e82fda90d44d783b27225ebcd57237363
Instruction Fuzzy Hash: ED3172DB85EBC14FD7434A7468799827FB05B2319EB9B08DFC8819B0A3F249944BD342

Function 0034676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00346766,?,?,00000008,?,?,0034FEFE,00000000), ref: 00346998

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: dba1a1fa7ff5c071c90f4c657172927f3ece3a7ee2d8428d78ef9f806c44b493
Instruction ID: 37c769981bda6a6699f5b0e5caf6492d1f90c23633a352333291b3d2b5b5f609
Opcode Fuzzy Hash: dba1a1fa7ff5c071c90f4c657172927f3ece3a7ee2d8428d78ef9f806c44b493
Instruction Fuzzy Hash: 3CB15C71610608DFD71ACF28C48AB657BE0FF46364F268658E899CF2A2C335E991CB41

Function 0032B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0036851F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9a5368cc246238530445a7db0ed70e2a412855d411d330f49b5941db852eb4ba
Instruction ID: 53a5c2e5ae71f058156bef86490fe4ab9cd69597dfd682596f41b2c52a897225
Opcode Fuzzy Hash: 9a5368cc246238530445a7db0ed70e2a412855d411d330f49b5941db852eb4ba
Instruction Fuzzy Hash: 04127E759002299FCB26DF59D8806EEB7F5FF48310F1581AAE849EB255DB309E81CB90

Function 0038EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0038EABD

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 08c56fe5ddae80a455bf700a2bdfc4ccb5a01f48741ee64167d26c521066df1b
Instruction ID: 41f3287afc7ee5089b22c0571969ed6f039620a265de7dea7e44f7c1edb3d2d1
Opcode Fuzzy Hash: 08c56fe5ddae80a455bf700a2bdfc4ccb5a01f48741ee64167d26c521066df1b
Instruction Fuzzy Hash: 72E04F312202049FC715EF59D804E9AF7EDAF99B60F048456FC49CB361DB74E8818B90

Function 003309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003303EE), ref: 003309DA

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e5fa5e63e396e64be76d2aab3615509f9d01301a67a7ddf750b100457357ac1a
Instruction ID: ac541bcb40149bd790c6c017e9df69b37a44102514ead4da9573098cf71d4b2d
Opcode Fuzzy Hash: e5fa5e63e396e64be76d2aab3615509f9d01301a67a7ddf750b100457357ac1a
Instruction Fuzzy Hash:

Function 0033781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0033798B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2596afa7f5f2fbff0445cf6369cfa028b286a5675397e858254e7c732d2a248e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 955145E160C7496BDB3B866888DFBBE63C99B02340F190A09E982DF782C715DE41D352

Function 00382046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&>, xrefs: 00382053

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: 0&>
API String ID: 0-3650462221
Opcode ID: 9927b9110a59d2c95f5bdba6ddd66edc1e643e053a4cab6745d36419ed473688
Instruction ID: 087ac536033b0e3950bc86045d24a78f6f973d2b2e8475a779bce088763bec51
Opcode Fuzzy Hash: 9927b9110a59d2c95f5bdba6ddd66edc1e643e053a4cab6745d36419ed473688
Instruction Fuzzy Hash: B321E7726206118BDB28CF79C86367F73E9A794310F15866EE4A7C73D0DE75A904CB80

Function 00346DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f827d3688d1843ec670057e3cf263ef2d81aa5133a5a3494d535d55a0abb5bf7
Instruction ID: b4a998a0908f1f20b12a746c3f8349f688b2fd199d8eb4f80c26a133a4522af4
Opcode Fuzzy Hash: f827d3688d1843ec670057e3cf263ef2d81aa5133a5a3494d535d55a0abb5bf7
Instruction Fuzzy Hash: 1C322722D29F414DD7239635CC22336A68DAFB73C9F15D737F81AB9AA5EB29D4834100

Function 0032CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8575c57f584d5089946f22e22353cc732116eac48c3d62bbd1b6189a0f7736
Instruction ID: ac4c6ddf1b69b86614e8791d1f16eda3ccaf9a940183c2f49e175a17d7a3e67d
Opcode Fuzzy Hash: ba8575c57f584d5089946f22e22353cc732116eac48c3d62bbd1b6189a0f7736
Instruction Fuzzy Hash: BC322731A201258BCF27CF68D49467D7BA5EB45300F2AE56BD8C9CB699D330DE82DB41

Function 00317920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063b310d1cfa758216c1b101c13566e4c4b1d7abfe342e66065214e96e222af4
Instruction ID: 655c3714c8e236303352eae7352391d62ce950869d7b46b3fe3bf4ab3ba6181f
Opcode Fuzzy Hash: 063b310d1cfa758216c1b101c13566e4c4b1d7abfe342e66065214e96e222af4
Instruction Fuzzy Hash: EB22F3B0A04609DFDF1ACF64D891AEEB3F5FF48300F144529E816AB2A1EB35AD54CB50

Function 003191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3fb9631c62865eb24f27cc4518bce94964473e8c99cc5fcf79b15539da779b
Instruction ID: 2c9e18d9319cca61f4439ec230cf5fb115732b3f10a5851bf70cc469da4fdc64
Opcode Fuzzy Hash: bb3fb9631c62865eb24f27cc4518bce94964473e8c99cc5fcf79b15539da779b
Instruction Fuzzy Hash: 3C02C7B1E00119EFDB0ADF64D981AADB7B5FF44300F118569E8169B290E731EE55CB81

Function 00337A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed2d48b35af4c2088797f2ce57ea49a65c0aeaa4796b51d39bff151df0ce838
Instruction ID: b93196be85d4e974fc5af9e3f007963c8aeddb7a1bf75ccc7643ae4bf325299c
Opcode Fuzzy Hash: 5ed2d48b35af4c2088797f2ce57ea49a65c0aeaa4796b51d39bff151df0ce838
Instruction Fuzzy Hash: D96147F160C749A6DE3B9A2C8CE6BBEA3A8DF41700F15091AF843DF781DA119E42C355

Function 00337CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5896acc2db83ba218c69fcbeda6c04d43676c3fb56769ff0df9bd3e452bf349
Instruction ID: 9da96e33733633f129a1a6b58769c528f5052abe94e201191ad914eaa0dcb938
Opcode Fuzzy Hash: a5896acc2db83ba218c69fcbeda6c04d43676c3fb56769ff0df9bd3e452bf349
Instruction Fuzzy Hash: 31619AF160C709A7DE3B9A2888D2BBF2398EF42744F11095AF943DF681DA16ED42C355

Function 00392ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00392B30
DeleteObject.GDI32(00000000), ref: 00392B43
DestroyWindow.USER32 ref: 00392B52
GetDesktopWindow.USER32 ref: 00392B6D
GetWindowRect.USER32(00000000), ref: 00392B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00392CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00392CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392CF8
GetClientRect.USER32(00000000,?), ref: 00392D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00392D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392D80
GlobalLock.KERNEL32(00000000), ref: 00392D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392D98
GlobalUnlock.KERNEL32(00000000), ref: 00392DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392DA8
GlobalFree.KERNEL32(00000000), ref: 00392DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,003AFC38,00000000), ref: 00392DDB
GlobalFree.KERNEL32(00000000), ref: 00392DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00392E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00392E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039303F

Strings

static, xrefs: 00392D3A, 00392E91
DISPLAY, xrefs: 00392EA2
AutoIt v3, xrefs: 00392CF2
, xrefs: 00392FC5

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 761e37d5abfbc56e78755904f9467435fe822dfbf1ae8188d9fa727d2bc4f6d2
Instruction ID: e28d38b7c16e15e068cbfe817ae830e76c02d1686c31ce1cf1bef0c84c8cc786
Opcode Fuzzy Hash: 761e37d5abfbc56e78755904f9467435fe822dfbf1ae8188d9fa727d2bc4f6d2
Instruction Fuzzy Hash: ED027A75A10205AFDB16DFA4CC89EAE7BB9EB49310F048118F915AB2A1DB74AD41CF60

Function 003A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 003A712F
GetSysColorBrush.USER32(0000000F), ref: 003A7160
GetSysColor.USER32(0000000F), ref: 003A716C
SetBkColor.GDI32(?,000000FF), ref: 003A7186
SelectObject.GDI32(?,?), ref: 003A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 003A71C0
GetSysColor.USER32(00000010), ref: 003A71C8
CreateSolidBrush.GDI32(00000000), ref: 003A71CF
FrameRect.USER32(?,?,00000000), ref: 003A71DE
DeleteObject.GDI32(00000000), ref: 003A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 003A7230
FillRect.USER32(?,?,?), ref: 003A7262
GetWindowLongW.USER32(?,000000F0), ref: 003A7284

Part of subcall function 003A73E8: GetSysColor.USER32(00000012), ref: 003A7421
Part of subcall function 003A73E8: SetTextColor.GDI32(?,?), ref: 003A7425
Part of subcall function 003A73E8: GetSysColorBrush.USER32(0000000F), ref: 003A743B
Part of subcall function 003A73E8: GetSysColor.USER32(0000000F), ref: 003A7446
Part of subcall function 003A73E8: GetSysColor.USER32(00000011), ref: 003A7463
Part of subcall function 003A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003A7471
Part of subcall function 003A73E8: SelectObject.GDI32(?,00000000), ref: 003A7482
Part of subcall function 003A73E8: SetBkColor.GDI32(?,00000000), ref: 003A748B
Part of subcall function 003A73E8: SelectObject.GDI32(?,?), ref: 003A7498
Part of subcall function 003A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003A74B7
Part of subcall function 003A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003A74CE
Part of subcall function 003A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003A74DB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f7b18026067394b9954c43dd578049604dbf9eb0b79efdec81df0a38dff916b8
Instruction ID: a55f6f163d2c9ce5b42ca43f9f773fb2bdd24eedc5a73c35413a0bc3d8bac42f
Opcode Fuzzy Hash: f7b18026067394b9954c43dd578049604dbf9eb0b79efdec81df0a38dff916b8
Instruction Fuzzy Hash: F5A1A072518301AFDB129F60DC88A6BBBEDFF4B320F101A19F962961E1D771E944CB51

Function 00392711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0039273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0039286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00392900
GetClientRect.USER32(00000000,?), ref: 0039290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00392955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00392964
GetStockObject.GDI32(00000011), ref: 00392974
SelectObject.GDI32(00000000,00000000), ref: 00392978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00392988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00392991
DeleteDC.GDI32(00000000), ref: 0039299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00392A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00392A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00392A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00392A77
GetStockObject.GDI32(00000011), ref: 00392A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00392A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00392A97

Strings

static, xrefs: 0039294F, 00392A71
DISPLAY, xrefs: 0039295A
AutoIt v3, xrefs: 003928F8
msctls_progress32, xrefs: 00392A13

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5c37923603cb7375a09ab6559848fed8dbee79d656bad3a1154e998e8d3a44b9
Instruction ID: 6e6d333c014e1f361443b23ffeb2e8129b95236d94faa915926f7c8b824fc143
Opcode Fuzzy Hash: 5c37923603cb7375a09ab6559848fed8dbee79d656bad3a1154e998e8d3a44b9
Instruction Fuzzy Hash: 5BB14B75A10615AFEB15DFA8DC89FAF7BA9EB09710F004214F915EB2D1D770AD40CBA0

Function 00384ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00384AED
GetDriveTypeW.KERNEL32(?,003ACB68,?,\\.\,003ACC08), ref: 00384BCA
SetErrorMode.KERNEL32(00000000,003ACB68,?,\\.\,003ACC08), ref: 00384D36

Strings

1394, xrefs: 00384C9F
ATAPI, xrefs: 00384C91
SSA, xrefs: 00384CA6
SATA, xrefs: 00384CD0
RAMDisk, xrefs: 00384BF4
FileBackedVirtual, xrefs: 00384CEC
Virtual, xrefs: 00384CE5
PhysicalDrive, xrefs: 00384B76
MMC, xrefs: 00384CDE
Fixed, xrefs: 00384C09
Unknown, xrefs: 00384BED, 00384C83
USB, xrefs: 00384CB4
CDROM, xrefs: 00384BFB
Network, xrefs: 00384C02
ATA, xrefs: 00384C98
SAS, xrefs: 00384CC9
SCSI, xrefs: 00384C8A
iSCSI, xrefs: 00384CC2
Removable, xrefs: 00384C10, 00384C15
Fibre, xrefs: 00384CAD
\\.\, xrefs: 00384B3F
RAID, xrefs: 00384CBB
SSD, xrefs: 00384C4A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 963fc6214037f4aae7acfe8ca6766d6f2026fc936a176452cd9e4875a0ddf6c5
Instruction ID: 10d4c1d72f975f7a57679b5fb65807939ad0b3c1981f5039a45f5a210cd509b0
Opcode Fuzzy Hash: 963fc6214037f4aae7acfe8ca6766d6f2026fc936a176452cd9e4875a0ddf6c5
Instruction Fuzzy Hash: 2861D531701307ABCB07FF24D9829ACB7B9AB09300B244496F816ABF55DB75ED41DB41

Function 003A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 003A7421
SetTextColor.GDI32(?,?), ref: 003A7425
GetSysColorBrush.USER32(0000000F), ref: 003A743B
GetSysColor.USER32(0000000F), ref: 003A7446
CreateSolidBrush.GDI32(?), ref: 003A744B
GetSysColor.USER32(00000011), ref: 003A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 003A7471
SelectObject.GDI32(?,00000000), ref: 003A7482
SetBkColor.GDI32(?,00000000), ref: 003A748B
SelectObject.GDI32(?,?), ref: 003A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 003A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 003A7572
DrawFocusRect.USER32(?,?), ref: 003A757D
GetSysColor.USER32(00000011), ref: 003A758E
SetTextColor.GDI32(?,00000000), ref: 003A7596
DrawTextW.USER32(?,003A70F5,000000FF,?,00000000), ref: 003A75A8
SelectObject.GDI32(?,?), ref: 003A75BF
DeleteObject.GDI32(?), ref: 003A75CA
SelectObject.GDI32(?,?), ref: 003A75D0
DeleteObject.GDI32(?), ref: 003A75D5
SetTextColor.GDI32(?,?), ref: 003A75DB
SetBkColor.GDI32(?,?), ref: 003A75E5

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6c5570d58ce167ab05c021d24e0229bd807f64363198e71a7157f589fb8ca931
Instruction ID: 1b59156f1ecf2670860c177d06c1686a06addb2b5e456b5f28e5ff109d10f9fe
Opcode Fuzzy Hash: 6c5570d58ce167ab05c021d24e0229bd807f64363198e71a7157f589fb8ca931
Instruction Fuzzy Hash: E5617A72D00218AFDF069FA4DC49EAEBFB9EF0A320F115125F911AB2A1D7749940CB90

Function 003A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003A1128
GetDesktopWindow.USER32 ref: 003A113D
GetWindowRect.USER32(00000000), ref: 003A1144
GetWindowLongW.USER32(?,000000F0), ref: 003A1199
DestroyWindow.USER32(?), ref: 003A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 003A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 003A1245
IsWindowVisible.USER32(00000000), ref: 003A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003A12D0
GetWindowRect.USER32(00000000,?), ref: 003A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 003A130E
GetMonitorInfoW.USER32(00000000,?), ref: 003A1328
CopyRect.USER32(?,?), ref: 003A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003A13AA

Strings

tooltips_class32, xrefs: 003A11E6
(, xrefs: 003A131B
0, xrefs: 003A10D3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 84824dd36413389383aaf65ae95e20b37d6c87b1af785930d1d64f9ca3763058
Instruction ID: 39cebcc6d6f6529b564e3068ffe6f247671864b142beaa6b126002910b54c0b7
Opcode Fuzzy Hash: 84824dd36413389383aaf65ae95e20b37d6c87b1af785930d1d64f9ca3763058
Instruction Fuzzy Hash: C3B19D71608341AFDB05DF64C884BAAFBE5FF8A350F00891DF9999B2A1D771E844CB91

Function 003A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003A02E5
_wcslen.LIBCMT ref: 003A031F
_wcslen.LIBCMT ref: 003A0389
_wcslen.LIBCMT ref: 003A03F1
_wcslen.LIBCMT ref: 003A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003A0504

Part of subcall function 0032F9F2: _wcslen.LIBCMT ref: 0032F9FD

Part of subcall function 0037223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00372258
Part of subcall function 0037223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0037228A

Strings

GETSUBITEMCOUNT, xrefs: 003A0384, 003A039F
SELECTALL, xrefs: 003A0515
SELECTINVERT, xrefs: 003A057E
SELECTCLEAR, xrefs: 003A052D
ISSELECTED, xrefs: 003A04DD
GETSELECTED, xrefs: 003A05E1
GETITEMCOUNT, xrefs: 003A0316, 003A0337
GETTEXT, xrefs: 003A03EC, 003A0407
DESELECT, xrefs: 003A059C
GETSELECTEDCOUNT, xrefs: 003A0470, 003A048B
VIEWCHANGE, xrefs: 003A0675
FINDITEM, xrefs: 003A0627
SELECT, xrefs: 003A0548

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e203facb4442115db95878f3789e06946ea3b1d7b2f82988769a5b3cfa2509d3
Instruction ID: ef45b636e9755e242f0df0720c482a40914f6af817aaad73fb32d8550b964477
Opcode Fuzzy Hash: e203facb4442115db95878f3789e06946ea3b1d7b2f82988769a5b3cfa2509d3
Instruction Fuzzy Hash: C7E1C1312183018FCB1ADF24C45096AB3E6FF8A314F554A6DF896AB7A1DB30ED45CB81

Function 00328891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00328968
GetSystemMetrics.USER32(00000007), ref: 00328970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0032899B
GetSystemMetrics.USER32(00000008), ref: 003289A3
GetSystemMetrics.USER32(00000004), ref: 003289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00328A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00328A3C
GetClientRect.USER32(00000000,000000FF), ref: 00328A5A
GetStockObject.GDI32(00000011), ref: 00328A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00328A81

Part of subcall function 0032912D: GetCursorPos.USER32(?), ref: 00329141
Part of subcall function 0032912D: ScreenToClient.USER32(00000000,?), ref: 0032915E
Part of subcall function 0032912D: GetAsyncKeyState.USER32(00000001), ref: 00329183
Part of subcall function 0032912D: GetAsyncKeyState.USER32(00000002), ref: 0032919D

SetTimer.USER32(00000000,00000000,00000028,003290FC), ref: 00328AA8

Strings

AutoIt v3 GUI, xrefs: 00328A20

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 8bab06744abb3fed93e04a6fd96847b15acaf51a8e09bc0a2adf18cd199619ca
Instruction ID: e5c3affbca6e3c0f7e92986069ce595162b53b0e515611564a91b1c9eb7014fe
Opcode Fuzzy Hash: 8bab06744abb3fed93e04a6fd96847b15acaf51a8e09bc0a2adf18cd199619ca
Instruction Fuzzy Hash: F5B17C75A002199FDB16DFA8DD85BAE7BB9FB49314F114229FA15AB2D0DB30E840CB50

Function 00370D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00371114
Part of subcall function 003710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371120
Part of subcall function 003710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 0037112F
Part of subcall function 003710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371136
Part of subcall function 003710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0037114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00370DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00370E29
GetLengthSid.ADVAPI32(?), ref: 00370E40
GetAce.ADVAPI32(?,00000000,?), ref: 00370E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00370E96
GetLengthSid.ADVAPI32(?), ref: 00370EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00370EB5
HeapAlloc.KERNEL32(00000000), ref: 00370EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00370EDD
CopySid.ADVAPI32(00000000), ref: 00370EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00370F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00370F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00370F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370F6E
HeapFree.KERNEL32(00000000), ref: 00370F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370F7E
HeapFree.KERNEL32(00000000), ref: 00370F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370F8E
HeapFree.KERNEL32(00000000), ref: 00370F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00370FA1
HeapFree.KERNEL32(00000000), ref: 00370FA8

Part of subcall function 00371193: GetProcessHeap.KERNEL32(00000008,00370BB1,?,00000000,?,00370BB1,?), ref: 003711A1
Part of subcall function 00371193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00370BB1,?), ref: 003711A8
Part of subcall function 00371193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00370BB1,?), ref: 003711B7

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fc2182fa4671874bd3693d985b61cfd883fb4a8f7329d6f3f5bbb4be5200f89d
Instruction ID: 7204ca53e9c33df6bc080edcbf4a9e8227b45efb5ddc29a7076509e2a9fba948
Opcode Fuzzy Hash: fc2182fa4671874bd3693d985b61cfd883fb4a8f7329d6f3f5bbb4be5200f89d
Instruction Fuzzy Hash: BB714B72A0020AEBDB26DFA4DC44BAEBBBCBF06310F158115F919A6191D7759A05CB60

Function 0039C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,003ACC08,00000000,?,00000000,?,?), ref: 0039C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0039C5A4
_wcslen.LIBCMT ref: 0039C5F4
_wcslen.LIBCMT ref: 0039C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0039C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0039C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0039C84D
RegCloseKey.ADVAPI32(?), ref: 0039C881
RegCloseKey.ADVAPI32(00000000), ref: 0039C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0039C960

Strings

REG_DWORD, xrefs: 0039C804
REG_SZ, xrefs: 0039C644
REG_MULTI_SZ, xrefs: 0039C6F5
REG_EXPAND_SZ, xrefs: 0039C5CD
REG_QWORD, xrefs: 0039C8C3
REG_BINARY, xrefs: 0039C913

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 60fc4ddfcc5086344401fa4e383f579852a3a263e9a9ec55e41ed3c4fe1772ca
Instruction ID: ef5682460535870ef45f47b7d12f1fa39eaeb38c6e33d46aa89836f14f23d560
Opcode Fuzzy Hash: 60fc4ddfcc5086344401fa4e383f579852a3a263e9a9ec55e41ed3c4fe1772ca
Instruction Fuzzy Hash: 2B1269352142019FDB1ADF14C891A6AB7E5EF89714F09885DF88A9B3A2DB31FD41CB81

Function 003A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003A09C6
_wcslen.LIBCMT ref: 003A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A0A54
_wcslen.LIBCMT ref: 003A0A8A
_wcslen.LIBCMT ref: 003A0B06
_wcslen.LIBCMT ref: 003A0B81

Part of subcall function 0032F9F2: _wcslen.LIBCMT ref: 0032F9FD

Part of subcall function 00372BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00372BFA

Strings

GETITEMCOUNT, xrefs: 003A0C1E
ISCHECKED, xrefs: 003A0CE1
GETTEXT, xrefs: 003A0C97
GETTOTALCOUNT, xrefs: 003A09F2, 003A0A17
CHECK, xrefs: 003A0A85, 003A0AA0
EXISTS, xrefs: 003A0B7C, 003A0B97
UNCHECK, xrefs: 003A0D3E
EXPAND, xrefs: 003A0BF8
SELECT, xrefs: 003A0D11
COLLAPSE, xrefs: 003A0B01, 003A0B1C
GETSELECTED, xrefs: 003A0C4E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: dabcdd21a18aa0041a2f041effb9a153d9a2d22d8dd039d97ae0ede72a95f7cf
Instruction ID: ebab824492f91a352e2e5ea73c0e923dfab4a10f467ed3cbec1228b11f0d21de
Opcode Fuzzy Hash: dabcdd21a18aa0041a2f041effb9a153d9a2d22d8dd039d97ae0ede72a95f7cf
Instruction Fuzzy Hash: DEE1BF362083018FC71ADF24C45096AB7E2FF9A314F15895DF89AAB362D731ED85CB91

Function 0039C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
_wcslen.LIBCMT ref: 0039C9F1
_wcslen.LIBCMT ref: 0039CA68
_wcslen.LIBCMT ref: 0039CA9E
_wcslen.LIBCMT ref: 0039CAF9
_wcslen.LIBCMT ref: 0039CB2F
_wcslen.LIBCMT ref: 0039CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0039CA62, 0039CA67
HKEY_USERS, xrefs: 0039CBDF
HKEY_CURRENT_CONFIG, xrefs: 0039CB79, 0039CB7E
HKEY_CURRENT_USER, xrefs: 0039CBBD
HKCC, xrefs: 0039CBAC
HKLM, xrefs: 0039CA98, 0039CA9D
HKCU, xrefs: 0039CBCE
HKCR, xrefs: 0039CB29, 0039CB2E
HKEY_CLASSES_ROOT, xrefs: 0039CAF3, 0039CAF8
HKU, xrefs: 0039CBF0

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: df88f9b875d44c4b7d6cbebc47fdc3b759c52cf1e622967a1d412f530491a8de
Instruction ID: 0b9768a429c7c0871af3fa7e5f0be5e1f7fecc11b9a5800051b3d6e1d629a15d
Opcode Fuzzy Hash: df88f9b875d44c4b7d6cbebc47fdc3b759c52cf1e622967a1d412f530491a8de
Instruction Fuzzy Hash: CF71033362016A8BCF23DE7CD9516BF33A5AB64760F122529F8569B284E731CD8187A0

Function 003A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003A835A
_wcslen.LIBCMT ref: 003A836E
_wcslen.LIBCMT ref: 003A8391
_wcslen.LIBCMT ref: 003A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003A5BF2), ref: 003A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003A8501
FreeLibrary.KERNEL32(?), ref: 003A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003A851D
DestroyIcon.USER32(?,?,?,?,?,003A5BF2), ref: 003A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003A8555

Strings

.dll, xrefs: 003A83AB
.icl, xrefs: 003A8368
.exe, xrefs: 003A8388

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: cddbb9ecdd6e32823110553442199c6a03121284720b0a775037ebeb2298cc37
Instruction ID: bbfa3c497a1f59793970676705fcf41bb61d3c7d79efc313a71c9dfe4a8257e3
Opcode Fuzzy Hash: cddbb9ecdd6e32823110553442199c6a03121284720b0a775037ebeb2298cc37
Instruction Fuzzy Hash: 8761C071900215BEEB16DF65CC85BFE77ACFB0AB21F104609F815DA1D1EB74A990C7A0

Function 00317778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 003177FF
#include, xrefs: 00317847
#notrayicon, xrefs: 003177E7
#include-once, xrefs: 0031782F
Cannot parse #include, xrefs: 00355279
#comments-start, xrefs: 0031785F, 003178B1
', xrefs: 00355169
", xrefs: 00355153
#ce, xrefs: 003178ED
Bad directive syntax error, xrefs: 0035519A
Unterminated group of comments, xrefs: 0035528C
#OnAutoItStartRegister, xrefs: 00317817
#pragma compile, xrefs: 003177D3
#cs, xrefs: 00317873, 003178C5
#comments-end, xrefs: 003178D9

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 56a88e0881ed0c2f26e02e7155a4ca1299451bb793dbf9a05be2ccb45dd322e5
Instruction ID: 9d4f90b49302b35b08100c43ea31f7dbc194d5f4b74d8012954b586fd4179e9b
Opcode Fuzzy Hash: 56a88e0881ed0c2f26e02e7155a4ca1299451bb793dbf9a05be2ccb45dd322e5
Instruction Fuzzy Hash: 4B81D571644605ABDB27AF60DC52FFE3BB8AF19300F094025FC05AE192EB75DA85C7A1

Function 00375A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00375A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00375A40
SetWindowTextW.USER32(?,?), ref: 00375A57
GetDlgItem.USER32(?,000003EA), ref: 00375A6C
SetWindowTextW.USER32(00000000,?), ref: 00375A72
GetDlgItem.USER32(?,000003E9), ref: 00375A82
SetWindowTextW.USER32(00000000,?), ref: 00375A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00375AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00375AC3
GetWindowRect.USER32(?,?), ref: 00375ACC
_wcslen.LIBCMT ref: 00375B33
SetWindowTextW.USER32(?,?), ref: 00375B6F
GetDesktopWindow.USER32 ref: 00375B75
GetWindowRect.USER32(00000000), ref: 00375B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00375BD3
GetClientRect.USER32(?,?), ref: 00375BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00375C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00375C2F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b1aaf1c85e1a134d3062040f7552b338fe9c0094f4ea15447a94584aea52c7e1
Instruction ID: 1e28977b52d157ff5755d68e5e63c98de506fc2a1dc8b5ef3abad1ac3077d61d
Opcode Fuzzy Hash: b1aaf1c85e1a134d3062040f7552b338fe9c0094f4ea15447a94584aea52c7e1
Instruction Fuzzy Hash: 83718031900B099FDB36DFA8CE85B6EBBF9FF48704F104918E146A65A0D7B9E944CB50

Function 003730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037318D
_wcslen.LIBCMT ref: 003731F8

Strings

CLASSNN, xrefs: 003731F3, 00373204
CLASS, xrefs: 00373188, 003731A5
REGEXPCLASS, xrefs: 00373255, 00373266
TEXT, xrefs: 0037347C
[=, xrefs: 0037339A
NAME, xrefs: 00373335, 00373346
INSTANCE, xrefs: 00373453

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[=
API String ID: 176396367-3092650863
Opcode ID: 4b236b8d2660def2a80322bad463fe178d14c67c8cd09b9bbf05f88c13b9d175
Instruction ID: 7cd93e86e75eb2262e3dbda9b299ac4ceafe9fc51b7225e943d372c61ed8864a
Opcode Fuzzy Hash: 4b236b8d2660def2a80322bad463fe178d14c67c8cd09b9bbf05f88c13b9d175
Instruction Fuzzy Hash: 35E1D532A00516ABCB3A9F74C4917FEBBB4BF44710F55C11AE45AF7240DB34AE85A790

Function 003300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003300C6

Part of subcall function 003300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(003E070C,00000FA0,09043DB5,?,?,?,?,003523B3,000000FF), ref: 0033011C
Part of subcall function 003300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003523B3,000000FF), ref: 00330127
Part of subcall function 003300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003523B3,000000FF), ref: 00330138
Part of subcall function 003300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0033014E
Part of subcall function 003300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0033015C
Part of subcall function 003300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0033016A
Part of subcall function 003300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00330195
Part of subcall function 003300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003301A0

___scrt_fastfail.LIBCMT ref: 003300E7

Part of subcall function 003300A3: __onexit.LIBCMT ref: 003300A9

Strings

kernel32.dll, xrefs: 00330133
InitializeConditionVariable, xrefs: 00330148
SleepConditionVariableCS, xrefs: 00330154
WakeAllConditionVariable, xrefs: 00330162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00330122

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 97c0c68a480e6d027182bd5eadd21a2feede73f4c3f382ef17adb0b3140a7b3a
Instruction ID: b07f5e0ea3d28d150b65201d0169390317c649bce90a45cd1a118928ed88cfe4
Opcode Fuzzy Hash: 97c0c68a480e6d027182bd5eadd21a2feede73f4c3f382ef17adb0b3140a7b3a
Instruction Fuzzy Hash: 6F21F936A547106FD72B6BB4AC95B6A73ACDB06F51F010135F801A66D1DBB49C008A90

Function 003844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,003ACC08), ref: 00384527
_wcslen.LIBCMT ref: 0038453B
_wcslen.LIBCMT ref: 00384599
_wcslen.LIBCMT ref: 003845F4
_wcslen.LIBCMT ref: 0038463F
_wcslen.LIBCMT ref: 003846A7

Part of subcall function 0032F9F2: _wcslen.LIBCMT ref: 0032F9FD

GetDriveTypeW.KERNEL32(?,003D6BF0,00000061), ref: 00384743

Strings

removable, xrefs: 003845EA, 003845EF
ramdisk, xrefs: 003846F1
fixed, xrefs: 00384635, 0038463A
cdrom, xrefs: 0038458F, 00384594
network, xrefs: 0038469D, 003846A2
all, xrefs: 00384531, 00384536
unknown, xrefs: 00384708

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3eecb7919ffe76826d22b6eb1ea1c30a419926c116943562a5edcec61c88dc41
Instruction ID: 717dae6aba2ae25685e37f7a1469dc6ad24b6bded703241ac81e0f3ea196e4b3
Opcode Fuzzy Hash: 3eecb7919ffe76826d22b6eb1ea1c30a419926c116943562a5edcec61c88dc41
Instruction Fuzzy Hash: B0B126316083039FC716EF28C891A6EB7E5BFAA720F51495DF4A6C7691E730D884CB52

Function 003A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

DragQueryPoint.SHELL32(?,?), ref: 003A9147

Part of subcall function 003A7674: ClientToScreen.USER32(?,?), ref: 003A769A
Part of subcall function 003A7674: GetWindowRect.USER32(?,?), ref: 003A7710
Part of subcall function 003A7674: PtInRect.USER32(?,?,003A8B89), ref: 003A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 003A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 003A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 003A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 003A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 003A9277
DragFinish.SHELL32(?), ref: 003A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003A9371

Strings

@GUI_DRAGFILE, xrefs: 003A9320
@GUI_DRAGID, xrefs: 003A92E9
@GUI_DROPID, xrefs: 003A929E
p#>, xrefs: 003A92BB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#>
API String ID: 221274066-2972201462
Opcode ID: 5b839d7c6c2082839955db8c295543ba354edfe51a202428e30b7e09eed6d6d6
Instruction ID: ca605421b9105303a06e925fee75c98f94232a083fb2b4ce62d523c425c3663e
Opcode Fuzzy Hash: 5b839d7c6c2082839955db8c295543ba354edfe51a202428e30b7e09eed6d6d6
Instruction Fuzzy Hash: 06615C71108301AFC706DF65DC85EAFBBE8EF8A750F000A1EF595971A1DB709A49CB92

Function 0031326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(003E1990), ref: 00352F8D
GetMenuItemCount.USER32(003E1990), ref: 0035303D
GetCursorPos.USER32(?), ref: 00353081
SetForegroundWindow.USER32(00000000), ref: 0035308A
TrackPopupMenuEx.USER32(003E1990,00000000,?,00000000,00000000,00000000), ref: 0035309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003530A9

Strings

0, xrefs: 0031327D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 949fa149c00f1f50091b8f782b9507f6b101c42db16ec75068f8579b2065a04e
Instruction ID: 42938277add25ad059b3582f559a8a65ab8ded97ad376b9b8ce3c3c85f43ed49
Opcode Fuzzy Hash: 949fa149c00f1f50091b8f782b9507f6b101c42db16ec75068f8579b2065a04e
Instruction Fuzzy Hash: D2711770644205BEEB279F25DC49FAABF68FF06364F204216F9156A1F0C7B1AD54CB90

Function 003A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 003A6DEB

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A6E94
DestroyWindow.USER32(?), ref: 003A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00310000,00000000), ref: 003A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A6EFD
GetDesktopWindow.USER32 ref: 003A6F16
GetWindowRect.USER32(00000000), ref: 003A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003A6F4D

Part of subcall function 00329944: GetWindowLongW.USER32(?,000000EB), ref: 00329952

Strings

tooltips_class32, xrefs: 003A6E58, 003A6EDD
0, xrefs: 003A6D98

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 291d26145a93ef57d167ffde8b6875c1d6c5950b76a9bff8034400bbf1c3120b
Instruction ID: 27f2126273496dd47ba3946dbf2fe3d88eb6679c181b4fe8f8e08d573dd99259
Opcode Fuzzy Hash: 291d26145a93ef57d167ffde8b6875c1d6c5950b76a9bff8034400bbf1c3120b
Instruction Fuzzy Hash: 28715874144244AFDB22CF18DC55FAABBE9FB8A304F08451EF999872A1C770A945CB51

Function 0038C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0038C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0038C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0038C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0038C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0038C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0038C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0038C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0038C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0038C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0038C5F0
InternetCloseHandle.WININET(00000000), ref: 0038C5FB

Strings

, xrefs: 0038C575

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a616765e36753d35e31f723015c172f40aea7374fc753d704ba606ef75e46cb5
Instruction ID: b352ac00af0ea46f1d5c1ac28564839366071f33e6b2d1e126dcc58ae32d4f23
Opcode Fuzzy Hash: a616765e36753d35e31f723015c172f40aea7374fc753d704ba606ef75e46cb5
Instruction Fuzzy Hash: F7516CB0510304BFDB23AF61C988AAB7BFCFB0A344F006459F94596650DB35E944DB70

Function 003A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 003A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85BA
GlobalLock.KERNEL32(00000000), ref: 003A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85D7
GlobalUnlock.KERNEL32(00000000), ref: 003A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,003AFC38,?), ref: 003A8611
GlobalFree.KERNEL32(00000000), ref: 003A8621
GetObjectW.GDI32(?,00000018,?), ref: 003A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 003A8671
DeleteObject.GDI32(?), ref: 003A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003A86AF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0ff3ca48061ff68ef9a249f0bf3b9549d15963bf63d065d579228f6845ef03ef
Instruction ID: e3c6692f64d59378b8bf1504dbddbc564e67d6ae4c5a1148d19222c6bd173c0d
Opcode Fuzzy Hash: 0ff3ca48061ff68ef9a249f0bf3b9549d15963bf63d065d579228f6845ef03ef
Instruction Fuzzy Hash: E841F875610208AFDB12DFA5DC88EAABBBCFF8AB11F154558F905E7260DB349D01CB60

Function 003814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00381502
VariantCopy.OLEAUT32(?,?), ref: 0038150B
VariantClear.OLEAUT32(?), ref: 00381517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00381657
VariantInit.OLEAUT32(?), ref: 00381708
SysFreeString.OLEAUT32(?), ref: 0038178C
VariantClear.OLEAUT32(?), ref: 003817D8
VariantClear.OLEAUT32(?), ref: 003817E7
VariantInit.OLEAUT32(00000000), ref: 00381823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00381625
Default, xrefs: 003816AF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: fb9b38f99ccd36d279a8269982d79213095e436f9e8cd1d2b9d6d7fd68e66b02
Instruction ID: c9d492b12914623bd2a224d3c7a9423747c20ef3f78bc2027c87cce77d84f243
Opcode Fuzzy Hash: fb9b38f99ccd36d279a8269982d79213095e436f9e8cd1d2b9d6d7fd68e66b02
Instruction Fuzzy Hash: E8D10432600215DBDB16AF65E885BBDB7BDBF86700F10809AF446AF580DB30DC42DB51

Function 0039B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 0039C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039C9F1
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA68
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0039B80A
RegCloseKey.ADVAPI32(?), ref: 0039B87E
RegCloseKey.ADVAPI32(?), ref: 0039B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0039B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0039B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0039B922
FreeLibrary.KERNEL32(00000000), ref: 0039B983
RegCloseKey.ADVAPI32(00000000), ref: 0039B994

Strings

RegDeleteKeyExW, xrefs: 0039B8FE
advapi32.dll, xrefs: 0039B8ED

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 35c9aceb6dd1efa9131b6a4e1270821c743759a230fb53393d66dd93dd792563
Instruction ID: 5b383b2e3b9ac71b348b3492f40b4d55442e7702d5e3cbc9b785ec6f70fa5631
Opcode Fuzzy Hash: 35c9aceb6dd1efa9131b6a4e1270821c743759a230fb53393d66dd93dd792563
Instruction Fuzzy Hash: EFC1AE30218201AFDB16DF14D595F6AFBE5BF88308F15859CF59A4B2A2CB31EC85CB91

Function 0039255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003925E8
CreateCompatibleDC.GDI32(?), ref: 003925F4
SelectObject.GDI32(00000000,?), ref: 00392601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0039266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003926D0
SelectObject.GDI32(?,?), ref: 003926D8
DeleteObject.GDI32(?), ref: 003926E1
DeleteDC.GDI32(?), ref: 003926E8
ReleaseDC.USER32(00000000,?), ref: 003926F3

Strings

(, xrefs: 0039268D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e12f4dfc910e250cd6c3b508c812815e040814c73ef0320911ba696d80786e0e
Instruction ID: b84130b1cef584695dc8661ccb284b3e4c58a1c8004e5d882a6d8609b2e97819
Opcode Fuzzy Hash: e12f4dfc910e250cd6c3b508c812815e040814c73ef0320911ba696d80786e0e
Instruction Fuzzy Hash: 7761E375E00219EFCF06CFA4D884AAEBBF9FF48310F208529E955A7250D770A941CF90

Function 0034DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0034DAA1

Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D659
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D66B
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D67D
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D68F
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6A1
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6B3
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6C5
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6D7
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6E9
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6FB
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D70D
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D71F
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D731

_free.LIBCMT ref: 0034DA96

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 0034DAB8
_free.LIBCMT ref: 0034DACD
_free.LIBCMT ref: 0034DAD8
_free.LIBCMT ref: 0034DAFA
_free.LIBCMT ref: 0034DB0D
_free.LIBCMT ref: 0034DB1B
_free.LIBCMT ref: 0034DB26
_free.LIBCMT ref: 0034DB5E
_free.LIBCMT ref: 0034DB65
_free.LIBCMT ref: 0034DB82
_free.LIBCMT ref: 0034DB9A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1e5be4842a00645fced3e6d8b30c40849401ed6fa881d3def179605720683f39
Instruction ID: 17209ead028a21b35f35c7ed12b8065dbe8aa8623b30fb7877be6497231f9f53
Opcode Fuzzy Hash: 1e5be4842a00645fced3e6d8b30c40849401ed6fa881d3def179605720683f39
Instruction Fuzzy Hash: 1A312A326046059FEB23AA39E845B5B77E9FF01310F56441AF449EF291DB31BC50C720

Function 0037365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0037369C
_wcslen.LIBCMT ref: 003736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00373797
GetClassNameW.USER32(?,?,00000400), ref: 0037380C
GetDlgCtrlID.USER32(?), ref: 0037385D
GetWindowRect.USER32(?,?), ref: 00373882
GetParent.USER32(?), ref: 003738A0
ScreenToClient.USER32(00000000), ref: 003738A7
GetClassNameW.USER32(?,?,00000100), ref: 00373921
GetWindowTextW.USER32(?,?,00000400), ref: 0037395D

Strings

%s%u, xrefs: 00373734

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 79cdeab33eb0fd0f5cbf6367014682a9d21410b5be6c1400b846c4300ea9ea2f
Instruction ID: 6925c07ca8e5a3a5d1c46e8ee47dc886d45094cd95868daef0ae5bff3aca7334
Opcode Fuzzy Hash: 79cdeab33eb0fd0f5cbf6367014682a9d21410b5be6c1400b846c4300ea9ea2f
Instruction Fuzzy Hash: 2191D171204606AFD72ADF24C885BEAF7E8FF45310F008629FA9DD6190DB34EA45DB91

Function 00374954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00374994
GetWindowTextW.USER32(?,?,00000400), ref: 003749DA
_wcslen.LIBCMT ref: 003749EB
CharUpperBuffW.USER32(?,00000000), ref: 003749F7
_wcsstr.LIBVCRUNTIME ref: 00374A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00374A64
GetWindowTextW.USER32(?,?,00000400), ref: 00374A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00374AE6
GetClassNameW.USER32(?,?,00000400), ref: 00374B20
GetWindowRect.USER32(?,?), ref: 00374B8B

Strings

ThumbnailClass, xrefs: 00374A6F, 00374AF1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 6fe7078471857946d9e3f445c30427f4b3a0636490d5398dffb713a2c7555930
Instruction ID: 0adddcd26b93210ef3d1f22b9a3576a1b0a3cca8de4476ffce986469e07c691b
Opcode Fuzzy Hash: 6fe7078471857946d9e3f445c30427f4b3a0636490d5398dffb713a2c7555930
Instruction Fuzzy Hash: F491C1311042099FDB26DF14C981BAA77E8FF84314F05C46AFD899A196EB38FD45CBA1

Function 003A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003A8D5A
GetFocus.USER32 ref: 003A8D6A
GetDlgCtrlID.USER32(00000000), ref: 003A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 003A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003A8ECF
GetMenuItemCount.USER32(?), ref: 003A8EEC
GetMenuItemID.USER32(?,00000000), ref: 003A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003A8FA1

Strings

0, xrefs: 003A8E9F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d8ad9cc019d78c61d247241ffd4d8bc0bf6b47e83ec78ac4b2bbb09495a9b23f
Instruction ID: 1d72520492553d7bf84d3f05ada71bc42bf1cc252b48737929ec8e887eb01a1f
Opcode Fuzzy Hash: d8ad9cc019d78c61d247241ffd4d8bc0bf6b47e83ec78ac4b2bbb09495a9b23f
Instruction Fuzzy Hash: B381B1715083019FDB22CF24D884EABBBE9FF8A754F150A1DF9959B291DB70D900CBA1

Function 0037DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0037DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0037DC46
_wcslen.LIBCMT ref: 0037DC50
_wcsstr.LIBVCRUNTIME ref: 0037DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0037DCBC

Strings

StringFileInfo\, xrefs: 0037DC8F
DefaultLangCodepage, xrefs: 0037DD1F
\VarFileInfo\Translation, xrefs: 0037DCB4
04090000, xrefs: 0037DCF2
%u.%u.%u.%u, xrefs: 0037DD9A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: c811e92b89a944e4f98e4751a7bb35ae56d748ce2ca47a63ee19167d36c7f35d
Instruction ID: 82ed8656575b57d6c3431dd91fae9dd993edd9cb60f32b0dbe1dc83fe7e0f673
Opcode Fuzzy Hash: c811e92b89a944e4f98e4751a7bb35ae56d748ce2ca47a63ee19167d36c7f35d
Instruction Fuzzy Hash: 124128329402107ADB27A774AC83FFF77BCEF56710F10406AF904EA182EB79990097A4

Function 0039CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0039CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0039CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0039CD48

Part of subcall function 0039CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0039CCAA
Part of subcall function 0039CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0039CCBD
Part of subcall function 0039CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0039CCCF
Part of subcall function 0039CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0039CD05
Part of subcall function 0039CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0039CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0039CCF3

Strings

RegDeleteKeyExW, xrefs: 0039CCC9
advapi32.dll, xrefs: 0039CCB8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 48a3869c15e86c7fd00a5199429dc0987ba020bfd2fb73b6e49c6565c5d39006
Instruction ID: de762413c6cc998d329aee5097b8c592d930560df545824fe8fee9c4feea8a61
Opcode Fuzzy Hash: 48a3869c15e86c7fd00a5199429dc0987ba020bfd2fb73b6e49c6565c5d39006
Instruction Fuzzy Hash: 9F316C72A11129BBDB22CB54DC88EFFBB7CEF46750F011165E906E2240DA349E46DAA0

Function 00383D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00383D40
_wcslen.LIBCMT ref: 00383D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00383D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00383DBE
RemoveDirectoryW.KERNEL32(?), ref: 00383DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00383E55
CloseHandle.KERNEL32(00000000), ref: 00383E60
CloseHandle.KERNEL32(00000000), ref: 00383E6B

Strings

\, xrefs: 00383D77
:, xrefs: 00383D82
\??\%s, xrefs: 00383D5B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 82af3fb8f38808b6e6705b655dc19a18c8ed42730605db853bc5215e24a1cb15
Instruction ID: 7011baf2b5383df35136764f30c6c664f285b67ae6610debcdd07979a29b41fa
Opcode Fuzzy Hash: 82af3fb8f38808b6e6705b655dc19a18c8ed42730605db853bc5215e24a1cb15
Instruction Fuzzy Hash: A431C676910209ABDB22AFA0DC49FEF37BCEF89B00F1141B5F505D6160EB7497488B24

Function 0037E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0037E6B4

Part of subcall function 0032E551: timeGetTime.WINMM(?,?,0037E6D4), ref: 0032E555

Sleep.KERNEL32(0000000A), ref: 0037E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0037E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0037E727
SetActiveWindow.USER32 ref: 0037E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0037E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0037E773
Sleep.KERNEL32(000000FA), ref: 0037E77E
IsWindow.USER32 ref: 0037E78A
EndDialog.USER32(00000000), ref: 0037E79B

Strings

BUTTON, xrefs: 0037E719

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7fb0afacd5769b009c1e68de4396793e9b6ddf2c3e0ce204801521a533a1d6ed
Instruction ID: 33354c80dbf78af15d599005e6fae3a9c7a88bf2b0656a4ec0ad450ae0d688c7
Opcode Fuzzy Hash: 7fb0afacd5769b009c1e68de4396793e9b6ddf2c3e0ce204801521a533a1d6ed
Instruction Fuzzy Hash: DE21C670210284AFEF335F24ECC9A263B6DF75A348F109565F45D851F1DBF5AC008A24

Function 0037E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0037EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0037EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0037EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0037EAA7

Strings

status PlayMe mode, xrefs: 0037EA58
close PlayMe, xrefs: 0037EA6E, 0037EA9B
open , xrefs: 0037EA0C
alias PlayMe, xrefs: 0037EA36
play PlayMe, xrefs: 0037EAA2
play PlayMe wait, xrefs: 0037EA91

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 43a2401d71d2facb31035502379ef0a846be7728a2d7bb73b6b53fdd6a0faa7c
Instruction ID: 91a05a9dcfe1e0e5987584311d7b57cb816c7d273f0160bef361ace2e8e1390b
Opcode Fuzzy Hash: 43a2401d71d2facb31035502379ef0a846be7728a2d7bb73b6b53fdd6a0faa7c
Instruction Fuzzy Hash: 9C11C632A9025979D726A7A1EC5BEFF6B7CEBD5B00F00042AF821A60D0EF701D45C5B0

Function 00375CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00375CE2
GetWindowRect.USER32(00000000,?), ref: 00375CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00375D59
GetDlgItem.USER32(?,00000002), ref: 00375D69
GetWindowRect.USER32(00000000,?), ref: 00375D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00375DCF
GetDlgItem.USER32(?,000003E9), ref: 00375DDD
GetWindowRect.USER32(00000000,?), ref: 00375DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00375E31
GetDlgItem.USER32(?,000003EA), ref: 00375E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00375E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00375E67

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 8f0931878f95751094c108d339d1eff80507db6f9f8d15552a083d0dbd3f67de
Instruction ID: b0f9445f196445a61919b8ef0edb2c4a749c6b6945451c5a429f2b4f07ca748e
Opcode Fuzzy Hash: 8f0931878f95751094c108d339d1eff80507db6f9f8d15552a083d0dbd3f67de
Instruction Fuzzy Hash: 15512F71B10609AFDF19CF68DD89AAEBBB9FB48300F159129F519E7290D7749E00CB50

Function 00328BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00328F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00328BE8,?,00000000,?,?,?,?,00328BBA,00000000,?), ref: 00328FC5

DestroyWindow.USER32(?), ref: 00328C81
KillTimer.USER32(00000000,?,?,?,?,00328BBA,00000000,?), ref: 00328D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00366973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00328BBA,00000000,?), ref: 003669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00328BBA,00000000,?), ref: 003669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00328BBA,00000000), ref: 003669D4
DeleteObject.GDI32(00000000), ref: 003669E6

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f0418bafe160ef2cf56766016eb92b0354112897c9d657e620a1f856d27fcada
Instruction ID: c681ac23b459064988e1b865e8d29d22f79ae20f6feb81faa804d431f53980e8
Opcode Fuzzy Hash: f0418bafe160ef2cf56766016eb92b0354112897c9d657e620a1f856d27fcada
Instruction Fuzzy Hash: 8461BD31503620DFCB379F14EA89B29B7F9FB41312F16961CE0429A9A4CB31AC90CF90

Function 00329838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00329944: GetWindowLongW.USER32(?,000000EB), ref: 00329952

GetSysColor.USER32(0000000F), ref: 00329862

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: eb8aa00a0b17dc7261244fe9918ab6aad5957e2569ab3102c5e9f98c56a53410
Instruction ID: 951c297d77944541216150d96639ea95df37b1a3922b42dd6dce529c5abd3549
Opcode Fuzzy Hash: eb8aa00a0b17dc7261244fe9918ab6aad5957e2569ab3102c5e9f98c56a53410
Instruction Fuzzy Hash: 2341B7315046509FDB275F38AC88BB93BA9FB17330F594656F9A28B1E1D7319C42DB10

Function 00348D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.3, xrefs: 0034903A, 00348FD0, 00348FF2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: .3
API String ID: 0-376848344
Opcode ID: 494addb71db35ff5f452154437375fd7fb30e115d94b864f16d4f99c8ac8bdda
Instruction ID: 88cdbfff4dcc2c9b73d67730a7d5afe98b2c88a833b0744496ef18c535865318
Opcode Fuzzy Hash: 494addb71db35ff5f452154437375fd7fb30e115d94b864f16d4f99c8ac8bdda
Instruction Fuzzy Hash: A0C1C374D04249AFDB13DFA8D885BAEBBF4AF09310F15415AF414AF392C770A942CB61

Function 003796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0035F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00379717
LoadStringW.USER32(00000000,?,0035F7F8,00000001), ref: 00379720

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0035F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00379742
LoadStringW.USER32(00000000,?,0035F7F8,00000001), ref: 00379745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00379866

Strings

^ ERROR, xrefs: 003797FB
%s (%d) : ==> %s: %s %s, xrefs: 0037984A
Line %d:, xrefs: 003797A0
Line %d (File "%s"):, xrefs: 0037978F
Error: , xrefs: 0037981D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6640ac2c1f1c70c2496791202e75d092b9ca8e7ad539db903c276a8334c892d0
Instruction ID: 20ddfb70e3f534fcb1a0d97a56483d1faf4b08dfadb2ea7b94147346732187f9
Opcode Fuzzy Hash: 6640ac2c1f1c70c2496791202e75d092b9ca8e7ad539db903c276a8334c892d0
Instruction Fuzzy Hash: DF4164729001096ACB1AEBD0DD53EEE737CAF19340F104566F60576091EB356F88CB61

Function 003706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00370804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0037082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00370837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0037083C

Strings

SOFTWARE\Classes\, xrefs: 0037070E
\IPC$, xrefs: 00370784
\CLSID, xrefs: 00370724

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 681e0962aa945bbd224c06dc4a24df68a8b3563b0bd2b64f6df4f88c6e025fb0
Instruction ID: 2be3a37e0f30e2b260e5c910957acb3d4a7934b4afd2684c65ec2557d7b20bdf
Opcode Fuzzy Hash: 681e0962aa945bbd224c06dc4a24df68a8b3563b0bd2b64f6df4f88c6e025fb0
Instruction Fuzzy Hash: 1A411A72C10229EBCF2AEBA4DC95DEDB778BF08350F05412AE905A7160EB349E44CB90

Function 00393C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00393C5C
CoInitialize.OLE32(00000000), ref: 00393C8A
CoUninitialize.OLE32 ref: 00393C94
_wcslen.LIBCMT ref: 00393D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00393DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00393ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00393F0E
CoGetObject.OLE32(?,00000000,003AFB98,?), ref: 00393F2D
SetErrorMode.KERNEL32(00000000), ref: 00393F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00393FC4
VariantClear.OLEAUT32(?), ref: 00393FD8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9a959a059d4e286baebe8ec9766a121351ef9ef16afc390fe9979df1b4eddbe3
Instruction ID: 84041a0b049bc18beca526641ff187b20a9ce0e69a69f7f1a817222e123502e5
Opcode Fuzzy Hash: 9a959a059d4e286baebe8ec9766a121351ef9ef16afc390fe9979df1b4eddbe3
Instruction Fuzzy Hash: 43C135B16083059FDB02DF68C88492BBBE9FF89744F10491DF98A9B210DB31EE45CB52

Function 00387A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00387AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00387B8F
SHGetDesktopFolder.SHELL32(?), ref: 00387BA3
CoCreateInstance.OLE32(003AFD08,00000000,00000001,003D6E6C,?), ref: 00387BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00387C74
CoTaskMemFree.OLE32(?,?), ref: 00387CCC
SHBrowseForFolderW.SHELL32(?), ref: 00387D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00387D7A
CoTaskMemFree.OLE32(00000000), ref: 00387D81
CoTaskMemFree.OLE32(00000000), ref: 00387DD6
CoUninitialize.OLE32 ref: 00387DDC

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 66d31f698522b2730fd41420873852a4d08225f23c383b97b51b559a5eeb214f
Instruction ID: d23cc065c9d7e35a97aa189b92605d7510e607be41859046ea8fbc8b13b9fb81
Opcode Fuzzy Hash: 66d31f698522b2730fd41420873852a4d08225f23c383b97b51b559a5eeb214f
Instruction Fuzzy Hash: 7AC11C75A04209AFCB15DFA4C884DAEBBF9FF49304B158499E819DB361D730EE45CB90

Function 003A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A5515
CharNextW.USER32(00000158), ref: 003A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A55AC

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 761399b0d3185f2b1250898f00c0c4a4c637f1270c8a7173c758807d3cd3b01f
Instruction ID: b69d744a85d5773b025e1fe49b4ed9bf5ba5ea059e2d049c9c7121783512d938
Opcode Fuzzy Hash: 761399b0d3185f2b1250898f00c0c4a4c637f1270c8a7173c758807d3cd3b01f
Instruction Fuzzy Hash: F1617C31904608EBDF12DF55CC849FE7BBDEB0B721F154149F925AA2A1D7748A80DBA0

Function 0036FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0036FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0036FB08
VariantInit.OLEAUT32(?), ref: 0036FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0036FB3A
VariantCopy.OLEAUT32(?,?), ref: 0036FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0036FBA1
VariantClear.OLEAUT32(?), ref: 0036FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0036FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0036FBCC
VariantClear.OLEAUT32(?), ref: 0036FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0036FBE9

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 813896d591f770ecbdb8008e48b021150822f5c4125961a1236e41ab2c1b22f1
Instruction ID: 0ef4b8a7c494032caa92e894466da6b28a2093d30974b61427f865aa8229031c
Opcode Fuzzy Hash: 813896d591f770ecbdb8008e48b021150822f5c4125961a1236e41ab2c1b22f1
Instruction Fuzzy Hash: 71416335A00219DFCB06DFA9D8549EDBBB9FF09344F00D069E905AB261CB30E945CFA0

Function 00379C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00379CA1
GetAsyncKeyState.USER32(000000A0), ref: 00379D22
GetKeyState.USER32(000000A0), ref: 00379D3D
GetAsyncKeyState.USER32(000000A1), ref: 00379D57
GetKeyState.USER32(000000A1), ref: 00379D6C
GetAsyncKeyState.USER32(00000011), ref: 00379D84
GetKeyState.USER32(00000011), ref: 00379D96
GetAsyncKeyState.USER32(00000012), ref: 00379DAE
GetKeyState.USER32(00000012), ref: 00379DC0
GetAsyncKeyState.USER32(0000005B), ref: 00379DD8
GetKeyState.USER32(0000005B), ref: 00379DEA

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 713e866110934d9a2f4eebfe689964b8a0ab329143406aac22fb5f57df2280f9
Instruction ID: 2221140bc4ee4ad0030e6670a2894eec08b2c76c720198eecef269277154b5a3
Opcode Fuzzy Hash: 713e866110934d9a2f4eebfe689964b8a0ab329143406aac22fb5f57df2280f9
Instruction Fuzzy Hash: B341C9345047CA6DFF33966488043B5BEE16F13344F09C25BDACA565C2EBAD99C4C792

Function 0039055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003905BC
inet_addr.WSOCK32(?), ref: 0039061C
gethostbyname.WSOCK32(?), ref: 00390628
IcmpCreateFile.IPHLPAPI ref: 00390636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003907B9
WSACleanup.WSOCK32 ref: 003907BF

Strings

Ping, xrefs: 00390676

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bf0a23e46ed51bef7bb3f50be0136c6e35c7b5334772b780a1de23f674328d2e
Instruction ID: 59773b7a7a58cd745d0c3ba92970a3b37b9a7f66239f29c1bdd1e310c04bec76
Opcode Fuzzy Hash: bf0a23e46ed51bef7bb3f50be0136c6e35c7b5334772b780a1de23f674328d2e
Instruction Fuzzy Hash: 07918D356082019FDB26DF15D488F1ABBE4EF49328F1585A9E4698F6A2C730EC81CF91

Function 00398CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00398CF3

Part of subcall function 00378E54: _wcslen.LIBCMT ref: 00378E77

_wcslen.LIBCMT ref: 00398D4E
_wcslen.LIBCMT ref: 00398D9C
_wcslen.LIBCMT ref: 00398DDC
_wcslen.LIBCMT ref: 00398E6E

Strings

stdcall, xrefs: 00398DD6, 00398DDB
winapi, xrefs: 00398D96, 00398D9B
cdecl, xrefs: 00398D48, 00398D4D
none, xrefs: 00398E65, 00398E6A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 48b01f59a03893d666e8eba7654bad6d34c59a82c8125c995354807eecce236d
Instruction ID: 6b8800b0ad741a03746cf7d30a86ec7fe1057153adad4ea6516c9156f6487a6f
Opcode Fuzzy Hash: 48b01f59a03893d666e8eba7654bad6d34c59a82c8125c995354807eecce236d
Instruction Fuzzy Hash: 6151A432A041169BCF16DF6CC9519BEB7A5BFA6724B214229E426EB3C4DF31DD40C790

Function 0039372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00393774
CoUninitialize.OLE32 ref: 0039377F
CoCreateInstance.OLE32(?,00000000,00000017,003AFB78,?), ref: 003937D9
IIDFromString.OLE32(?,?), ref: 0039384C
VariantInit.OLEAUT32(?), ref: 003938E4
VariantClear.OLEAUT32(?), ref: 00393936

Strings

Invalid parameter, xrefs: 00393865
Failed to create object, xrefs: 003937E4, 0039389A
NULL Pointer assignment, xrefs: 0039381E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 83cc4075052a3bee5899271e039107b0c7daf3d873a830f413d651fc6ac782f5
Instruction ID: c6759340ed5aaf227299786343b95e66cae63b384f15243f01dd75a61e025784
Opcode Fuzzy Hash: 83cc4075052a3bee5899271e039107b0c7daf3d873a830f413d651fc6ac782f5
Instruction Fuzzy Hash: E561B1B1608311AFD712DF54C888FAABBE8EF49710F00480DF9859B291D770EE48CB92

Function 00388195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00388257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00388267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00388273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00388310
SetCurrentDirectoryW.KERNEL32(?), ref: 00388324
SetCurrentDirectoryW.KERNEL32(?), ref: 00388356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0038838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00388395

Strings

*.*, xrefs: 0038839B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2001d3a67e89aa02c949170c42f950b979a74d8bb297d311494c17197bc03461
Instruction ID: 2e69872ed7f53c5f0b0be7a10ad3046d3970792ba58efa9ea11f25fe3314ad40
Opcode Fuzzy Hash: 2001d3a67e89aa02c949170c42f950b979a74d8bb297d311494c17197bc03461
Instruction Fuzzy Hash: 9A618D765043059FCB15EF60C8809AEB3E9FF89310F44895EF989CB251EB35E945CB92

Function 003A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

Part of subcall function 0032912D: GetCursorPos.USER32(?), ref: 00329141
Part of subcall function 0032912D: ScreenToClient.USER32(00000000,?), ref: 0032915E
Part of subcall function 0032912D: GetAsyncKeyState.USER32(00000001), ref: 00329183
Part of subcall function 0032912D: GetAsyncKeyState.USER32(00000002), ref: 0032919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 003A8B6B
ImageList_EndDrag.COMCTL32 ref: 003A8B71
ReleaseCapture.USER32 ref: 003A8B77
SetWindowTextW.USER32(?,00000000), ref: 003A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 003A8CFF

Strings

@GUI_DRAGFILE, xrefs: 003A8C9A
@GUI_DROPID, xrefs: 003A8C51
p#>, xrefs: 003A8C71

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#>
API String ID: 1924731296-3185979782
Opcode ID: ea332ba2ca1521341ba96b0ede105ee6eb9f630aafb93cec90842edc700afaa6
Instruction ID: 6d8e152c6c7f6f91363d3cde11f44012817fb5f19cc14be825740f255798e34c
Opcode Fuzzy Hash: ea332ba2ca1521341ba96b0ede105ee6eb9f630aafb93cec90842edc700afaa6
Instruction Fuzzy Hash: 09518B71104344AFD716DF14DC96FAAB7E8FB89710F000629F9925B2E2DB709944CBA2

Function 00383388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003833CF

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003833F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00383522
^ ERROR , xrefs: 0038349E
Incorrect parameters to object property !, xrefs: 003834AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00383504
Line %d (File "%s"):, xrefs: 00383443, 0038345C
Error: , xrefs: 003834D1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 9652112cbcd1cc1b8ee3865c02ded448a8b2702a2f462cc096f8ff273820c343
Instruction ID: 406d4c963d90edbc833be3ab2fa0f6702bb75f49d5ce557af26be1af7b0e3346
Opcode Fuzzy Hash: 9652112cbcd1cc1b8ee3865c02ded448a8b2702a2f462cc096f8ff273820c343
Instruction Fuzzy Hash: 3C519372900209AADF1BEBE0DD52EEEB378AF09740F104166F505771A1EB356F98DB60

Function 0037B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0037B5FC
_wcslen.LIBCMT ref: 0037B608
_wcslen.LIBCMT ref: 0037B64D
_wcslen.LIBCMT ref: 0037B68C
_wcslen.LIBCMT ref: 0037B6C7

Strings

APPEND, xrefs: 0037B6C1, 0037B6C6
KEYS, xrefs: 0037B647, 0037B64C
EXISTS, xrefs: 0037B686, 0037B68B
REMOVE, xrefs: 0037B602, 0037B607

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: acb68d486a5a1facc77f1860cf2f73ad0ee917a8294c0a667516bf091384247d
Instruction ID: 620dba21e65d8d68c480f3cde6acb0b6214194cbf34cf2116ccd39d98e703bed
Opcode Fuzzy Hash: acb68d486a5a1facc77f1860cf2f73ad0ee917a8294c0a667516bf091384247d
Instruction Fuzzy Hash: 6141FB32A000269BCB315F7DC8907BEF7B5BF64754B268129E629DB284E739CD81C790

Function 00385393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00385416
GetLastError.KERNEL32 ref: 00385420
SetErrorMode.KERNEL32(00000000,READY), ref: 003854A7

Strings

INVALID, xrefs: 00385459
READY, xrefs: 00385460, 00385468
READONLY, xrefs: 00385452
UNKNOWN, xrefs: 00385444
NOTREADY, xrefs: 0038544B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: da90b20f12debf7b824965ab3ceffc853fe6442a61e22f16fb0fd7a6634008e8
Instruction ID: 09a7c18bf76ce88b0ea177471339cfb1331302021c5820158083bd0acd673575
Opcode Fuzzy Hash: da90b20f12debf7b824965ab3ceffc853fe6442a61e22f16fb0fd7a6634008e8
Instruction Fuzzy Hash: 5131E135A006049FDB12EF69C485BAABBF8EF09305F1480A6E405CF392DB71DD86CB90

Function 003A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 003A3C79
SetMenu.USER32(?,00000000), ref: 003A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A3D10
IsMenu.USER32(?), ref: 003A3D24
CreatePopupMenu.USER32 ref: 003A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003A3D5B
DrawMenuBar.USER32 ref: 003A3D63

Strings

F, xrefs: 003A3D4E
0, xrefs: 003A3C54

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b2a7bd8b27460f8cbf3ad0f1939dc08c7e2bbc54229ba3892e8ffe6fd954353a
Instruction ID: 242e9487f8dc2f32d9ecffb0d2216fa1237e92df9dcca40224b52c89c228b81a
Opcode Fuzzy Hash: b2a7bd8b27460f8cbf3ad0f1939dc08c7e2bbc54229ba3892e8ffe6fd954353a
Instruction Fuzzy Hash: ED415C75A01209EFDB15CF65D884AEA7BB9FF4B350F150029F946A7360D730AA10CF94

Function 003A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 003A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 003A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 003A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 003A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 003A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003A3C13

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 690de11b3905889eb0ed87b37e7dea24f15f61c19fe7440b64a33de492157e7f
Instruction ID: 345e50b8d6201dfe380432ed7b808ff4038b764c5be196add40f54b192348649
Opcode Fuzzy Hash: 690de11b3905889eb0ed87b37e7dea24f15f61c19fe7440b64a33de492157e7f
Instruction Fuzzy Hash: F0616E75900248AFDB12DFA4CC81EEE77F8EB0A710F104159FA15AB2A1D774AE45DB60

Function 00342C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00342C94

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 00342CA0
_free.LIBCMT ref: 00342CAB
_free.LIBCMT ref: 00342CB6
_free.LIBCMT ref: 00342CC1
_free.LIBCMT ref: 00342CCC
_free.LIBCMT ref: 00342CD7
_free.LIBCMT ref: 00342CE2
_free.LIBCMT ref: 00342CED
_free.LIBCMT ref: 00342CFB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d11f32e01e165487c7a7d64f63247d9917ff0a561e12a3d548216b4cece33b7e
Instruction ID: bb13aa9caa057ae06ce3ec926d111c186d60c291767b76ab802890f083e3fe5f
Opcode Fuzzy Hash: d11f32e01e165487c7a7d64f63247d9917ff0a561e12a3d548216b4cece33b7e
Instruction Fuzzy Hash: 01116476500108AFDB02EF55D982CDE3BA5FF06350F9145A5FA48AF222DB31FA609B90

Function 00315BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00315C7A

Part of subcall function 00315D0A: GetClientRect.USER32(?,?), ref: 00315D30
Part of subcall function 00315D0A: GetWindowRect.USER32(?,?), ref: 00315D71
Part of subcall function 00315D0A: ScreenToClient.USER32(?,?), ref: 00315D99

GetDC.USER32 ref: 003546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00354708
SelectObject.GDI32(00000000,00000000), ref: 00354716
SelectObject.GDI32(00000000,00000000), ref: 0035472B
ReleaseDC.USER32(?,00000000), ref: 00354733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003547C4

Strings

U, xrefs: 00354693

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8686b60b85eb9cfabdd1d8cf294a1c30472bed5c33e962e84a0102db04b8d506
Instruction ID: b084ea3f957bd6e4fcef5fa87ac8bd5ed95a79a9db212fcdb2ba1a546e61f494
Opcode Fuzzy Hash: 8686b60b85eb9cfabdd1d8cf294a1c30472bed5c33e962e84a0102db04b8d506
Instruction Fuzzy Hash: E971DF34400205DFCF2B8F64C984EEA3BB9FF8A31AF154229ED655A1B6C7318885DF50

Function 0038359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003835E4

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

LoadStringW.USER32(003E2390,?,00000FFF,?), ref: 0038360A

Strings

^ ERROR, xrefs: 003836C9
"%s" (%d) : ==> %s:, xrefs: 00383742
"%s" (%d) : ==> %s:%s%s, xrefs: 00383724
Line %d (File "%s"):, xrefs: 0038366B
Error: , xrefs: 003836EF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6628238c3a78e7764a125a30a512cbf1b6d90f3f69ea5b1418139187e4a93384
Instruction ID: e9ab9fd0814e2dae6c8ec46505e81b8705aac6d703cd10b38e60db77d25dfe77
Opcode Fuzzy Hash: 6628238c3a78e7764a125a30a512cbf1b6d90f3f69ea5b1418139187e4a93384
Instruction Fuzzy Hash: C0516371900209BADF1BEBA0DC92EEDBB78EF08700F144166F515761A1EB315AD9DF60

Function 0038C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0038C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0038C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0038C2CA
GetLastError.KERNEL32 ref: 0038C322
SetEvent.KERNEL32(?), ref: 0038C336
InternetCloseHandle.WININET(00000000), ref: 0038C341

Strings

, xrefs: 0038C2BB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3a45d61d856f0e0b53bf6d4abefbc0d4862e4ef5e1c84bee9f63bcfa1a739ef2
Instruction ID: c545d755c91ccfddabd3b0144bf0854409234e9c9ecb218e04f037b80bc96424
Opcode Fuzzy Hash: 3a45d61d856f0e0b53bf6d4abefbc0d4862e4ef5e1c84bee9f63bcfa1a739ef2
Instruction Fuzzy Hash: 4231BFB5520304AFDB23AF649C88AAB7BFCEB49740F14955EF446D6200DB79DD058B70

Function 0037989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00353AAF,?,?,Bad directive syntax error,003ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003798BC
LoadStringW.USER32(00000000,?,00353AAF,?), ref: 003798C3

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00379987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 003798F1
Line %d:, xrefs: 00379912
Line %d (File "%s"):, xrefs: 0037992D
Error: , xrefs: 00379955
., xrefs: 0037996D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 9ab8f760941ce6c26780cbc21220b2ed47cad9ef957b6a9b3c09133b8beb5baa
Instruction ID: 36d9e9b509119ade7c7316b8dfc923a8d58bedb646ee0453084c9078c3576d43
Opcode Fuzzy Hash: 9ab8f760941ce6c26780cbc21220b2ed47cad9ef957b6a9b3c09133b8beb5baa
Instruction Fuzzy Hash: 7021B43290021AABDF17AF90CC06FED7779FF19300F044467F5256A0A1DB35A658DB50

Function 0037209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0037214D

Strings

SHELLDLL_DefView, xrefs: 003720CC
details, xrefs: 003720FB
list, xrefs: 0037212F
largeicons, xrefs: 003720E1
smallicons, xrefs: 00372115

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 76ab3b98cecf527ce6a5ff5192d19e7b86b20812dc774c2d4feee80880f19909
Instruction ID: 46c9bea389af2ed997c0cbf2d56379b63865ff7bffaebb2d92174a5478aa0f3f
Opcode Fuzzy Hash: 76ab3b98cecf527ce6a5ff5192d19e7b86b20812dc774c2d4feee80880f19909
Instruction Fuzzy Hash: 45112977688706B9FA236720EC07DE7779CEB15324F614017FB08A91E1FE6968115614

Function 0034CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0034CEB7
_free.LIBCMT ref: 0034CF22
_free.LIBCMT ref: 0034CF48
_free.LIBCMT ref: 0034CF71
_free.LIBCMT ref: 0034CFA9
_free.LIBCMT ref: 0034CFDA
_free.LIBCMT ref: 0034D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0034D09C
_free.LIBCMT ref: 0034D0B5

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 122de3c248298867b580433248c6dc341b767be0465c8d908db8142b138bfe16
Instruction ID: 7d2fe8cea3036ad553d5307598c12303fb1e2fbe4bf288c88cad6fbdf6d6eef8
Opcode Fuzzy Hash: 122de3c248298867b580433248c6dc341b767be0465c8d908db8142b138bfe16
Instruction Fuzzy Hash: 5C613671A05240AFDB27AFB49CC1AAE7BE9EF05310F45426DF940AF292DB35BD448760

Function 003A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 003A5186
ShowWindow.USER32(?,00000000), ref: 003A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 003A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 003A51D1

Part of subcall function 003A6FBA: DeleteObject.GDI32(00000000), ref: 003A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 003A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 003A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 003A5296

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 9c9abb7cc56312684967e4adaa288182ad6392db76c5b12cfdfb3614298c2519
Instruction ID: 8cf5f9ac5e1657dc9279ee1b8df478157460388e433fd4e4fa065193c229627a
Opcode Fuzzy Hash: 9c9abb7cc56312684967e4adaa288182ad6392db76c5b12cfdfb3614298c2519
Instruction Fuzzy Hash: C5519F30A50A08BEEF369F24DC4ABE97B69EB07321F158512F6159A2E1C775A980DB40

Function 00328B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00366890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00328874,00000000,00000000,00000000,000000FF,00000000), ref: 00366901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0036691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00328874,00000000,00000000,00000000,000000FF,00000000), ref: 0036692D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: bd9132807dfab4ad2eec8c9a7b03fc7ee4acc25f1f21fabc6cf0a2339a1e0fb4
Instruction ID: 4d7ac276f58b30f22837d8e2a03b0b33b7048c1a4427f0652ae3f2b5e37e9186
Opcode Fuzzy Hash: bd9132807dfab4ad2eec8c9a7b03fc7ee4acc25f1f21fabc6cf0a2339a1e0fb4
Instruction Fuzzy Hash: 80518B70600209EFDB22CF25DC96FAA7BB9FB48750F11851CF9169B2A0DB70E990DB50

Function 0038C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0038C182
GetLastError.KERNEL32 ref: 0038C195
SetEvent.KERNEL32(?), ref: 0038C1A9

Part of subcall function 0038C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0038C272
Part of subcall function 0038C253: GetLastError.KERNEL32 ref: 0038C322
Part of subcall function 0038C253: SetEvent.KERNEL32(?), ref: 0038C336
Part of subcall function 0038C253: InternetCloseHandle.WININET(00000000), ref: 0038C341

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 795a64b7de0942673073107d226c5217083d20887b31397428e7e0fbc16e77d7
Instruction ID: e93fa5c0a7692a7399dc694e06562ab6481aaa19c3edf8ee12cf089b88976110
Opcode Fuzzy Hash: 795a64b7de0942673073107d226c5217083d20887b31397428e7e0fbc16e77d7
Instruction Fuzzy Hash: A5318B71220705AFDB22AFB59C48A66BBECFF59300B04A95DF95686660CB31E810DB70

Function 003725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00373A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00373A57
Part of subcall function 00373A3D: GetCurrentThreadId.KERNEL32 ref: 00373A5E
Part of subcall function 00373A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003725B3), ref: 00373A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00372601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00372605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0037260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00372623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00372627

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 779252e412be25208ea94b415c6dc8d3bcc0302c16cd03c57aa61b6ac1930e77
Instruction ID: 8fd40ce7c482f82689813b16f083d64112a08db46f2b5e06c71f84b70291b547
Opcode Fuzzy Hash: 779252e412be25208ea94b415c6dc8d3bcc0302c16cd03c57aa61b6ac1930e77
Instruction Fuzzy Hash: F901D4313A0210BBFB2167689C8AF5A7F5DDB4FB12F105001F358AE0E1C9E224459A6A

Function 00371803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00371449,?,?,00000000), ref: 0037180C
HeapAlloc.KERNEL32(00000000,?,00371449,?,?,00000000), ref: 00371813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00371449,?,?,00000000), ref: 00371828
GetCurrentProcess.KERNEL32(?,00000000,?,00371449,?,?,00000000), ref: 00371830
DuplicateHandle.KERNEL32(00000000,?,00371449,?,?,00000000), ref: 00371833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00371449,?,?,00000000), ref: 00371843
GetCurrentProcess.KERNEL32(00371449,00000000,?,00371449,?,?,00000000), ref: 0037184B
DuplicateHandle.KERNEL32(00000000,?,00371449,?,?,00000000), ref: 0037184E
CreateThread.KERNEL32(00000000,00000000,00371874,00000000,00000000,00000000), ref: 00371868

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3ab289418b16af52884578bd551f9eedaab7ac76699b5e6d7cf0ac1ce16ebd3a
Instruction ID: 8331d45eac7f098c407f92262cbdacff6a952fbcb8d0021e8ca207b3e2bf960f
Opcode Fuzzy Hash: 3ab289418b16af52884578bd551f9eedaab7ac76699b5e6d7cf0ac1ce16ebd3a
Instruction Fuzzy Hash: 0701BBB5350308BFE711ABA5DC4DF6B3BACEB8AB11F009411FA05DB1A1DA749800CB20

Function 0039A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0037D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0037D501
Part of subcall function 0037D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0037D50F
Part of subcall function 0037D4DC: CloseHandle.KERNEL32(00000000), ref: 0037D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0039A16D
GetLastError.KERNEL32 ref: 0039A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0039A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0039A268
GetLastError.KERNEL32(00000000), ref: 0039A273
CloseHandle.KERNEL32(00000000), ref: 0039A2C4

Strings

SeDebugPrivilege, xrefs: 0039A18F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7b68a44462960fb2f8ca0ed8f040649463e774bf80aecde26b13f34ca0c63e5b
Instruction ID: 9bcc84201c37b0f3fddd9148d2fa3df5cd03b7bad98a25319dafd24160e8cd67
Opcode Fuzzy Hash: 7b68a44462960fb2f8ca0ed8f040649463e774bf80aecde26b13f34ca0c63e5b
Instruction Fuzzy Hash: 71619D312086019FDB26DF14C494F16BBE5AF44318F15858CE4A64F7A2C776EC85CBC2

Function 003A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003A3954
_wcslen.LIBCMT ref: 003A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003A39F4

Strings

SysListView32, xrefs: 003A38F7

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: fb8e030e24981f341bb58468337382d815a67ced1a1284031cb6273e981ff13b
Instruction ID: 002742c7238798ad80f3cd3005606b171788c74dd0cc19b4cdc11453cca7a870
Opcode Fuzzy Hash: fb8e030e24981f341bb58468337382d815a67ced1a1284031cb6273e981ff13b
Instruction Fuzzy Hash: 3541C471A00218ABEF22DF64CC45FEA77A9EF09350F11012AF958E7291D7759E84CB90

Function 0037BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0037BCFD
IsMenu.USER32(00000000), ref: 0037BD1D
CreatePopupMenu.USER32 ref: 0037BD53
GetMenuItemCount.USER32(00FD7210), ref: 0037BDA4
InsertMenuItemW.USER32(00FD7210,?,00000001,00000030), ref: 0037BDCC

Strings

2, xrefs: 0037BD37
0, xrefs: 0037BCA8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 07a7e00b1a765aa3d10118cfe5fb0aac7930aff6866a8c24514f0673d99ecd21
Instruction ID: cf18c1009414be335cb378186a698aa87091904b3906ae7ed3158ae035c2bcc4
Opcode Fuzzy Hash: 07a7e00b1a765aa3d10118cfe5fb0aac7930aff6866a8c24514f0673d99ecd21
Instruction Fuzzy Hash: 6C519E70A00205DFDB32CFA9D888BAEFBF8AF45314F14C119E419DB291E7789940CB51

Function 00332D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00332D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00332D53
_ValidateLocalCookies.LIBCMT ref: 00332DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00332E0C
_ValidateLocalCookies.LIBCMT ref: 00332E61

Strings

csm, xrefs: 00332DF6
&H3, xrefs: 00332DFE, 00332E07, 00332E18

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H3$csm
API String ID: 1170836740-2036257025
Opcode ID: 5677792864fe45bdc268785d9597099847739f1deb3667fcf7ff9c3a9c7030cf
Instruction ID: ff332842e82468fc91a31a3be7b968ecbfe46aa47d9b373c98eab4496ccac1b8
Opcode Fuzzy Hash: 5677792864fe45bdc268785d9597099847739f1deb3667fcf7ff9c3a9c7030cf
Instruction Fuzzy Hash: E9419234A00209EBCF12DF68C8C5A9FBBB5BF44325F158155E925AB3A2D735EA05CBD0

Function 0037C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0037C913

Strings

question, xrefs: 0037C8CC
stop, xrefs: 0037C8E4
blank, xrefs: 0037C895
info, xrefs: 0037C8B4
warning, xrefs: 0037C8FC

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b8c7ece9b42f42046677da230bc8180965a367bab7961570aa99e3d85792e2bd
Instruction ID: 39f66283681286dcbd79efe0b84d92b5529d267bbd28b03dcf84dab5c8b309af
Opcode Fuzzy Hash: b8c7ece9b42f42046677da230bc8180965a367bab7961570aa99e3d85792e2bd
Instruction Fuzzy Hash: 92110D3269930ABAE7135B54AC83CEA679CDF16354F11502FF608A6282D7796D005365

Function 0037ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0037ED2A
_wcslen.LIBCMT ref: 0037ED3B
_wcslen.LIBCMT ref: 0037ED79
_wcslen.LIBCMT ref: 0037EDAF
_wcslen.LIBCMT ref: 0037EDDF
_wcslen.LIBCMT ref: 0037EDEF
_wcslen.LIBCMT ref: 0037EE2B
_wcslen.LIBCMT ref: 0037EE5A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 56bcc976600a830ed19da45162c9cef838ae35e416cc77fb3d0d7f2932d9117e
Instruction ID: 4ca75ce00e959fcc92bb15df232174a8cd15b65959d9ab9542302445b560aa98
Opcode Fuzzy Hash: 56bcc976600a830ed19da45162c9cef838ae35e416cc77fb3d0d7f2932d9117e
Instruction Fuzzy Hash: D1418665C1111875CB23EBF488CAACF77A8AF49710F508962F518E7522FB38E255C3E5

Function 0032F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0036682C,00000004,00000000,00000000), ref: 0032F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0036682C,00000004,00000000,00000000), ref: 0036F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0036682C,00000004,00000000,00000000), ref: 0036F454

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ef48511f586ba84103c554bec76b8faac1a72f22d0e198c548b3072c2274b1d1
Instruction ID: 276f54d1f227dd425832ecde16e335d5e401024626c37e180203ebd4d6bea740
Opcode Fuzzy Hash: ef48511f586ba84103c554bec76b8faac1a72f22d0e198c548b3072c2274b1d1
Instruction Fuzzy Hash: D8413E31608690BEC73B9B2DF88872A7BF9AF57314F15853CE04756A65D732A8C0CB51

Function 003A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003A2D1B
GetDC.USER32(00000000), ref: 003A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 003A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 003A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003A2DE1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c5470441022d08901e1127d1912b9a5a82936ec3faa9452578a96351ef0a0bcb
Instruction ID: 3cc283c23c4db994cffed34ca467cfc6dc98b2bc00c7f59a26f143195e42a9b4
Opcode Fuzzy Hash: c5470441022d08901e1127d1912b9a5a82936ec3faa9452578a96351ef0a0bcb
Instruction Fuzzy Hash: 77318E72211214BFEB128F54CC8AFEB3FADEF0A715F084055FE089A2A1C6759C50CBA4

Function 00375622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00375637
_memcmp.LIBVCRUNTIME ref: 00375659
_memcmp.LIBVCRUNTIME ref: 00375671
_memcmp.LIBVCRUNTIME ref: 00375684
_memcmp.LIBVCRUNTIME ref: 0037569E
_memcmp.LIBVCRUNTIME ref: 003756B1
_memcmp.LIBVCRUNTIME ref: 003756C9
_memcmp.LIBVCRUNTIME ref: 003756E4

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e2de278fd0ae2529d6f8bf3f9165d50a3afb95e36a842e4b20204c19837bd703
Instruction ID: 0aa5d85636d68dea035a485b1883c4cc2dbce511f9437f61849a569aef761ace
Opcode Fuzzy Hash: e2de278fd0ae2529d6f8bf3f9165d50a3afb95e36a842e4b20204c19837bd703
Instruction Fuzzy Hash: AB21C965641A097BD62F55218DC2FFA335CEF213A5F448024FD0C9EA81FBA9EE10C1E5

Function 00394FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00395007
NULL Pointer assignment, xrefs: 0039502E, 00395383

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 29c8908dd5d733954a78007d5a5ef38aa089f1e0ca2c71d1994c797d0e8c0172
Instruction ID: 9415d20797a0df83cd092b292889465f6df79499a7778873b348a819a08a3707
Opcode Fuzzy Hash: 29c8908dd5d733954a78007d5a5ef38aa089f1e0ca2c71d1994c797d0e8c0172
Instruction Fuzzy Hash: F4D1C275A0060A9FDF12CFA8C881FAEB7B5FF48344F158469E915AB281E770DD85CB90

Function 00351522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00351651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003517FB,?,003517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003516FB

Part of subcall function 00343820: RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00351777
__freea.LIBCMT ref: 003517A2
__freea.LIBCMT ref: 003517AE

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6bcc74c318f6a4ea598061f2f0fe5f172ff3b3c56f2c122c9196230ae6d96a0c
Instruction ID: bce1a18e6f6a18c81261f6a5678c8017f0b6ecb667bde467e1bce8a60c2e0888
Opcode Fuzzy Hash: 6bcc74c318f6a4ea598061f2f0fe5f172ff3b3c56f2c122c9196230ae6d96a0c
Instruction Fuzzy Hash: 5A91B771E102169ADF228E74C881FEE7BF99F4A311F194659EC01EB161E735DD48C760

Function 00394523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00394648
VariantInit.OLEAUT32(?), ref: 00394749
VariantClear.OLEAUT32(?), ref: 00394753
VariantClear.OLEAUT32(?), ref: 003947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0039472C
Null Object assignment in FOR..IN loop, xrefs: 003945D8, 00394706, 003947BE

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 92b8dd9258962d5972acc75c7eadb19d9ac58fbe42d156d23e316f50059a9858
Instruction ID: 5ffb0e917ac9a2e8df5af16eb01f7b4a151064bf944f6bb42dff792243bd1eb1
Opcode Fuzzy Hash: 92b8dd9258962d5972acc75c7eadb19d9ac58fbe42d156d23e316f50059a9858
Instruction Fuzzy Hash: CC91DF71A00219AFDF26CFA4DC84FAEBBB8EF46714F118559F515AB280D7709942CFA0

Function 00381187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0038125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00381284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0038135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00381430

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b9f7ae030d88fbb33c9a729bc2f034e31c08940b819bc94d51617acb8ea2aad3
Instruction ID: a2d2bd829243b6210d4720c67533b5c575ce41116b6e74af672275805d6a34c9
Opcode Fuzzy Hash: b9f7ae030d88fbb33c9a729bc2f034e31c08940b819bc94d51617acb8ea2aad3
Instruction Fuzzy Hash: 11910275A003189FDB02EFA5C885BBEB7BDFF45311F2144A9E900EB291D774A946CB90

Function 0032948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4fc2245ff6cf2956701cd54b3847e24f6ad24b4a9b20831fb31d561d7c0835e6
Instruction ID: 9f8c9a141f52edbc7715a635a4439b8169086196aee05907bf59da6d41265dfd
Opcode Fuzzy Hash: 4fc2245ff6cf2956701cd54b3847e24f6ad24b4a9b20831fb31d561d7c0835e6
Instruction Fuzzy Hash: 74915A71E00219EFCB12CFA9DC84AEEBBB8FF49320F248556E515B7251D374A941CBA0

Function 00393947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0039396B
CharUpperBuffW.USER32(?,?), ref: 00393A7A
_wcslen.LIBCMT ref: 00393A8A
VariantClear.OLEAUT32(?), ref: 00393C1F

Part of subcall function 00380CDF: VariantInit.OLEAUT32(00000000), ref: 00380D1F
Part of subcall function 00380CDF: VariantCopy.OLEAUT32(?,?), ref: 00380D28
Part of subcall function 00380CDF: VariantClear.OLEAUT32(?), ref: 00380D34

Strings

AUTOIT.ERROR, xrefs: 00393A80, 00393A85
Incorrect Parameter format, xrefs: 003939A6, 00393BA1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 18f7920f39b529014960e6b2fbeb519b6e2de1324db89a05882882bf082e173c
Instruction ID: 2948180dc5c82a814d402213f7c183f6bd58aa69a2bd75d65270526b7eec3f36
Opcode Fuzzy Hash: 18f7920f39b529014960e6b2fbeb519b6e2de1324db89a05882882bf082e173c
Instruction Fuzzy Hash: 61917AB56083059FCB15EF28C48096AB7E5FF89314F14886EF8899B351DB30EE45CB92

Function 00394BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0037000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?,?,0037035E), ref: 0037002B
Part of subcall function 0037000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370046
Part of subcall function 0037000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370054
Part of subcall function 0037000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?), ref: 00370064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00394C51
_wcslen.LIBCMT ref: 00394D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00394DCF
CoTaskMemFree.OLE32(?), ref: 00394DDA

Strings

NULL Pointer assignment, xrefs: 00394E23, 00394E52

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 87f25bb7fca9677a0c0293d96d968a0fb168f992b5c4c4c65325a0bcd1b424de
Instruction ID: 82a0a6a888c8d4ec163e0cc11fa054072778ad520e6530cb186587795ab6da98
Opcode Fuzzy Hash: 87f25bb7fca9677a0c0293d96d968a0fb168f992b5c4c4c65325a0bcd1b424de
Instruction Fuzzy Hash: 66911971D0021DAFDF16DFA4D891EEEB7B8BF08314F10816AE919AB251DB349A45CF60

Function 003A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 003A2183
GetMenuItemCount.USER32(00000000), ref: 003A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003A21DD
_wcslen.LIBCMT ref: 003A2213
GetMenuItemID.USER32(?,?), ref: 003A224D
GetSubMenu.USER32(?,?), ref: 003A225B

Part of subcall function 00373A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00373A57
Part of subcall function 00373A3D: GetCurrentThreadId.KERNEL32 ref: 00373A5E
Part of subcall function 00373A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003725B3), ref: 00373A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003A22E3

Part of subcall function 0037E97B: Sleep.KERNEL32 ref: 0037E9F3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 647c6aa49835be06beb680f573d541209ce040419bffae23d95ff5c66b5ac5db
Instruction ID: 11785bc89545238f62ef4df1d945fc194875c4d8891c7bbc3cd91b64e69c9590
Opcode Fuzzy Hash: 647c6aa49835be06beb680f573d541209ce040419bffae23d95ff5c66b5ac5db
Instruction Fuzzy Hash: 0671AE35E00205AFCB16DF68C885AAEB7F5EF4A310F158869E816EB351DB34ED418B90

Function 0037AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0037AEF9
GetKeyboardState.USER32(?), ref: 0037AF0E
SetKeyboardState.USER32(?), ref: 0037AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0037AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0037AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0037AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0037B020

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8d1f663d9dd214c9344414dd104e805976d4e35087f6e058fe34fa0cb2deeb1d
Instruction ID: 8033748475277e10b266cacdf13e4f90de1032faf9dd9fa0223805141bad055f
Opcode Fuzzy Hash: 8d1f663d9dd214c9344414dd104e805976d4e35087f6e058fe34fa0cb2deeb1d
Instruction Fuzzy Hash: EA51C1A0608BD53DFB3782348C45BBEBEA95B46304F09C589E1DD998D3C39CA8C8D751

Function 0037ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0037AD19
GetKeyboardState.USER32(?), ref: 0037AD2E
SetKeyboardState.USER32(?), ref: 0037AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0037ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0037ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0037AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0037AE38

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 781b798a80e7bf418df587b3673d98b05150660bca51391275588b69b66ac91d
Instruction ID: d96feb643019a4a92d66b58b5b88541b055ba69e38c36c04de773f2610a87887
Opcode Fuzzy Hash: 781b798a80e7bf418df587b3673d98b05150660bca51391275588b69b66ac91d
Instruction Fuzzy Hash: 0C51C5A1504BD53DFB3783248C95BBEBEA95B86300F09C589E1DD4ACC2D298EC84E752

Function 0034542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00353CD6,?,?,?,?,?,?,?,?,00345BA3,?,?,00353CD6,?,?), ref: 00345470
__fassign.LIBCMT ref: 003454EB
__fassign.LIBCMT ref: 00345506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00353CD6,00000005,00000000,00000000), ref: 0034552C
WriteFile.KERNEL32(?,00353CD6,00000000,00345BA3,00000000,?,?,?,?,?,?,?,?,?,00345BA3,?), ref: 0034554B
WriteFile.KERNEL32(?,?,00000001,00345BA3,00000000,?,?,?,?,?,?,?,?,?,00345BA3,?), ref: 00345584

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 576060c0391efed49ec2fe26d2a1137c1f5a69119bf767cee60a8025e9ad21ab
Instruction ID: 6ffc90bcb73c0149ed2512cc1caac314f3f514ab83c24c8941f00e274866f657
Opcode Fuzzy Hash: 576060c0391efed49ec2fe26d2a1137c1f5a69119bf767cee60a8025e9ad21ab
Instruction Fuzzy Hash: 2151DA71E006459FDB12CFA8D885AEEBBF9EF09300F14415AF556EB292D730EA41CB60

Function 003910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0039304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0039307A
Part of subcall function 0039304E: _wcslen.LIBCMT ref: 0039309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00391112
WSAGetLastError.WSOCK32 ref: 00391121
WSAGetLastError.WSOCK32 ref: 003911C9
closesocket.WSOCK32(00000000), ref: 003911F9

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: ef9cfde24b0c5ff1e649ec4c21c18a86b0f36053f9719f500fc9c80568107b83
Instruction ID: db489137c2c9cf77f121beba70e8b19020a7fdf3428d64d8fa846730ce669b2c
Opcode Fuzzy Hash: ef9cfde24b0c5ff1e649ec4c21c18a86b0f36053f9719f500fc9c80568107b83
Instruction Fuzzy Hash: 4E41F231600205AFDB129F14C885BAABBEDFF45324F148059F916AF291C774ED81CBA0

Function 0037CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0037DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0037CF22,?), ref: 0037DDFD

Part of subcall function 0037DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0037CF22,?), ref: 0037DE16

lstrcmpiW.KERNEL32(?,?), ref: 0037CF45
MoveFileW.KERNEL32(?,?), ref: 0037CF7F
_wcslen.LIBCMT ref: 0037D005
_wcslen.LIBCMT ref: 0037D01B
SHFileOperationW.SHELL32(?), ref: 0037D061

Strings

\*.*, xrefs: 0037CFF3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e5fcd2b64ef5828593d0835344edd529cd2c53886c5cd4720665e7b81bb0ffa6
Instruction ID: 249fb4ef1859c40d490b16882fed49eecda91a82323dd7144d7a7e74ec4e1e69
Opcode Fuzzy Hash: e5fcd2b64ef5828593d0835344edd529cd2c53886c5cd4720665e7b81bb0ffa6
Instruction Fuzzy Hash: 964156719452185FDF27EFA4C981BDEB7BCAF09380F0050EAE509EB141EB38A684CB50

Function 003A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 003A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 003A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 003A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 003A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 003A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 003A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A2F0B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3d45cc20f5b105990761f5dbea5501f5db778089d44a71a36354300ebabdbc88
Instruction ID: d274d429bea3cd7026f82145e9844d278191401c9fc906ee39a554c346ced8dd
Opcode Fuzzy Hash: 3d45cc20f5b105990761f5dbea5501f5db778089d44a71a36354300ebabdbc88
Instruction Fuzzy Hash: E131E331645290AFDB22CF5CDC84F6677E9EB9A710F1A1164F9458F2B2CB71AC80DB81

Function 00377726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00377769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0037778F
SysAllocString.OLEAUT32(00000000), ref: 00377792
SysAllocString.OLEAUT32(?), ref: 003777B0
SysFreeString.OLEAUT32(?), ref: 003777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003777DE
SysAllocString.OLEAUT32(?), ref: 003777EC

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d3835bd2ea059537285b83fb7b5fc0730e3064f7e7c1c4e8661ac42d7f15887a
Instruction ID: 80452065c314c4baab8e0fb9b0384b3ce5d698c23d1ee028d482b346a336483c
Opcode Fuzzy Hash: d3835bd2ea059537285b83fb7b5fc0730e3064f7e7c1c4e8661ac42d7f15887a
Instruction Fuzzy Hash: F521C176604219AFDF26EFA8DC88CBB77ECEB09764B018025FA18DB150D678DC42C764

Function 003777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00377842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00377868
SysAllocString.OLEAUT32(00000000), ref: 0037786B
SysAllocString.OLEAUT32 ref: 0037788C
SysFreeString.OLEAUT32 ref: 00377895
StringFromGUID2.OLE32(?,?,00000028), ref: 003778AF
SysAllocString.OLEAUT32(?), ref: 003778BD

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1df7a8c31127bb482144677d28c43f77588c973862c42ec61db905ec205b5151
Instruction ID: cbe62b32c2c1126ee86efa13d43ef13249898d0619c8dad76af9248e40e1ba3b
Opcode Fuzzy Hash: 1df7a8c31127bb482144677d28c43f77588c973862c42ec61db905ec205b5151
Instruction Fuzzy Hash: 8D219231604114BFDB229FA8DC8DDBA77ECEB09760B118125F919CB2A1D678DC41CB65

Function 003804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0038052E

Strings

nul, xrefs: 00380567

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 11fcf00f335c4201125611b534d4bbaccb8899aaa7a1a575f3a2089508ba172f
Instruction ID: f9496aa905aa850d0b84b009e29781a789b7e7a3a66a01e0ddcb2f958c20dad0
Opcode Fuzzy Hash: 11fcf00f335c4201125611b534d4bbaccb8899aaa7a1a575f3a2089508ba172f
Instruction Fuzzy Hash: E5218D75604305AFDF66AF29DC04A9A77E8AF46724F204A59F8A1E62E0D7709948CF30

Function 003805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00380601

Strings

nul, xrefs: 00380639

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cc6e931550db51e6744893e69358e490d4c325bebcff45cec3524e23747821d6
Instruction ID: 0d51bc098537156491060a821f4f8d537bc82c9004f4a7d407c3cf69c9b563f1
Opcode Fuzzy Hash: cc6e931550db51e6744893e69358e490d4c325bebcff45cec3524e23747821d6
Instruction Fuzzy Hash: 892181755003059FDB66AF69DC04A9A77E8FF95720F200B59F8B1E72E0E7B09964CB20

Function 003A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0031600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0031604C
Part of subcall function 0031600E: GetStockObject.GDI32(00000011), ref: 00316060
Part of subcall function 0031600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003A4145

Strings

Msctls_Progress32, xrefs: 003A40E3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a331980ab599dc6c107113c5625a9517a9a4ea398c41c1bd8475496b76c9ed57
Instruction ID: bf92ef92986be9c1ae7278464dead3a530ea8925ffd520157329b7d0a039d90d
Opcode Fuzzy Hash: a331980ab599dc6c107113c5625a9517a9a4ea398c41c1bd8475496b76c9ed57
Instruction Fuzzy Hash: 701186B21502197EEF129F64CC85EE77F5DEF09798F014111F618A6150C6729C61DBA4

Function 0034D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0034D7A3: _free.LIBCMT ref: 0034D7CC

_free.LIBCMT ref: 0034D82D

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 0034D838
_free.LIBCMT ref: 0034D843
_free.LIBCMT ref: 0034D897
_free.LIBCMT ref: 0034D8A2
_free.LIBCMT ref: 0034D8AD
_free.LIBCMT ref: 0034D8B8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 37ca7f8112f71bc9b53cca9a64b8ba15ab77d107309a7493c827c86788d66c6a
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D311FE71541B04ABEA23BFB1CC47FCB7FDCAF05700F804825B299AE692DB76B5158660

Function 0037DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0037DA74
LoadStringW.USER32(00000000), ref: 0037DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0037DA91
LoadStringW.USER32(00000000), ref: 0037DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0037DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0037DAB9

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 49917c9edaa606f9f72419bcd69ed9db4fdcd19feb091e832a7a7fb46d298874
Instruction ID: 3fb2a7a70f6fa29c08c16f89f5213c7fe42bbdaff3de18faab0ec4416092e55f
Opcode Fuzzy Hash: 49917c9edaa606f9f72419bcd69ed9db4fdcd19feb091e832a7a7fb46d298874
Instruction Fuzzy Hash: 0C0186F69102087FE752DBA49D89EE7337CEB09301F405496F74AE2041EA749E844F74

Function 0038096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00FCE130,00FCE130), ref: 0038097B
EnterCriticalSection.KERNEL32(00FCE110,00000000), ref: 0038098D
TerminateThread.KERNEL32(?,000001F6), ref: 0038099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003809A9
CloseHandle.KERNEL32(?), ref: 003809B8
InterlockedExchange.KERNEL32(00FCE130,000001F6), ref: 003809C8
LeaveCriticalSection.KERNEL32(00FCE110), ref: 003809CF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ae055fdac832c652f0c3687539f956e32b432c75989e88def6066dca8a5d3cf0
Instruction ID: 67ff55ff74b21d1c9d49be40962298fb3235257c92861f5174b657ab5cee1d0a
Opcode Fuzzy Hash: ae055fdac832c652f0c3687539f956e32b432c75989e88def6066dca8a5d3cf0
Instruction Fuzzy Hash: 83F03131552602BBDB475F94EE8CBD67B39FF02702F402415F101508B0CB749465CF90

Function 00391C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00391DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00391DE1
WSAGetLastError.WSOCK32 ref: 00391DF2
htons.WSOCK32(?,?,?,?,?), ref: 00391EDB
inet_ntoa.WSOCK32(?), ref: 00391E8C

Part of subcall function 003739E8: _strlen.LIBCMT ref: 003739F2

Part of subcall function 00393224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0038EC0C), ref: 00393240

_strlen.LIBCMT ref: 00391F35

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 043be6a08a576b036f31e39623043e67954f19a5b13d230474d289afc7ef55f5
Instruction ID: 4a4041a7077fd3fdc4e203e9e391e7649057a024cec4898352ed93a37fbbc215
Opcode Fuzzy Hash: 043be6a08a576b036f31e39623043e67954f19a5b13d230474d289afc7ef55f5
Instruction Fuzzy Hash: F7B10431204301AFC72ADF24C885E6AB7E5AF85318F55894CF4566F2E2DB31ED42CB91

Function 00315D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00315D30
GetWindowRect.USER32(?,?), ref: 00315D71
ScreenToClient.USER32(?,?), ref: 00315D99
GetClientRect.USER32(?,?), ref: 00315ED7
GetWindowRect.USER32(?,?), ref: 00315EF8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 88167593cda60d749958dc92a24b6b444a18e42794f4872199af86499d3ad947
Instruction ID: 687cefc758d6a0809d7607a6a93973f7e576652c78c55a03d10fdafd39c40f7a
Opcode Fuzzy Hash: 88167593cda60d749958dc92a24b6b444a18e42794f4872199af86499d3ad947
Instruction Fuzzy Hash: B4B18C34A0074ADBDB19CFA9C440BEEB7F5FF58310F14941AE8A9D7650D730AA91DB50

Function 003401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003400D6
__allrem.LIBCMT ref: 003400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0034010B
__allrem.LIBCMT ref: 00340122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00340140

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a47e604d2aba9e65b2803f220fc7028ef7fd942a5dbc0c70af93b9ed3ccbe132
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: AB811875B007069FE726AE38CC81B6BB3E8AF41724F25463AF951DF691E770E9008B50

Function 003461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003382D9,003382D9,?,?,?,0034644F,00000001,00000001,8BE85006), ref: 00346258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0034644F,00000001,00000001,8BE85006,?,?,?), ref: 003462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003463D8
__freea.LIBCMT ref: 003463E5

Part of subcall function 00343820: RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

__freea.LIBCMT ref: 003463EE
__freea.LIBCMT ref: 00346413

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9a3bf86fd6d7c7264359e9d5201354498ed834dd199f17cb771382e9d0938f57
Instruction ID: 1b52ecb773cf204e6876e131949c37378604c9a6bff5168a47d2b470ea830e7b
Opcode Fuzzy Hash: 9a3bf86fd6d7c7264359e9d5201354498ed834dd199f17cb771382e9d0938f57
Instruction Fuzzy Hash: 4B51E172600256ABDB278F64CC82EAF77E9EB46710F164669FC05DF1A0DB34EC40C6A1

Function 0039BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 0039C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039C9F1
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA68
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039BD25
RegCloseKey.ADVAPI32(00000000), ref: 0039BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0039BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0039BDF3
RegCloseKey.ADVAPI32(?), ref: 0039BDFF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: db07605f3e86c3d0590360f0065c9fb500620ac0f8af768485fd93ce55adc17d
Instruction ID: 17783fb155fbafc2bef0f238ef4f9938171e1503f1e84b89b477ddd57a4fcc5e
Opcode Fuzzy Hash: db07605f3e86c3d0590360f0065c9fb500620ac0f8af768485fd93ce55adc17d
Instruction Fuzzy Hash: D481C130208241EFCB16DF24D995E6ABBE9FF85308F14855CF4594B2A2DB31ED45CB92

Function 0036F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0036F7B9
SysAllocString.OLEAUT32(00000001), ref: 0036F860
VariantCopy.OLEAUT32(0036FA64,00000000), ref: 0036F889
VariantClear.OLEAUT32(0036FA64), ref: 0036F8AD
VariantCopy.OLEAUT32(0036FA64,00000000), ref: 0036F8B1
VariantClear.OLEAUT32(?), ref: 0036F8BB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ee6bc5bb5a611f3cdb3a4dcb4161c2d47770129997011fe68ff61f5061cde731
Instruction ID: d3266666cf62fc6001aa705de872bd423ee997609ea2d9e2c31adb5d451bf6e6
Opcode Fuzzy Hash: ee6bc5bb5a611f3cdb3a4dcb4161c2d47770129997011fe68ff61f5061cde731
Instruction Fuzzy Hash: D451B631610310BECF16AB66E895B69B3E9EF49310F24D467E905DF299DB708C40CB56

Function 0038910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00317620: _wcslen.LIBCMT ref: 00317625

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003894E5
_wcslen.LIBCMT ref: 00389506
_wcslen.LIBCMT ref: 0038952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00389585

Strings

X, xrefs: 00389412

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1c04972f01046638a1a6389ac3f1fc8ccfcd1e9d624a8d25bdde44d4506c68ea
Instruction ID: ec993424c41632df6c0ba22957239826a81fdc514cb69505cd514b9db836bf4b
Opcode Fuzzy Hash: 1c04972f01046638a1a6389ac3f1fc8ccfcd1e9d624a8d25bdde44d4506c68ea
Instruction Fuzzy Hash: 53E1B631504300DFC716EF24C881BAAB7E5BF89314F1989AEF8999B2A1DB31DD45CB91

Function 0032920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

BeginPaint.USER32(?,?,?), ref: 00329241
GetWindowRect.USER32(?,?), ref: 003292A5
ScreenToClient.USER32(?,?), ref: 003292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003292D3
EndPaint.USER32(?,?,?,?,?), ref: 00329321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003671EA

Part of subcall function 00329339: BeginPath.GDI32(00000000), ref: 00329357

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ae9549984efebd867e75da1632f670ae8f932893cc3838f32bf46d4541071281
Instruction ID: 7b9e3d87eb4504d6a2e47ae57c1a29ebc3e06d4a0967a152dfedaa1899c6faa7
Opcode Fuzzy Hash: ae9549984efebd867e75da1632f670ae8f932893cc3838f32bf46d4541071281
Instruction Fuzzy Hash: 4E41B231104310AFD722DF25DC84FBA7BBCEB4A724F14062AF9948B2E2C7319845DB61

Function 003807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0038080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00380847
EnterCriticalSection.KERNEL32(?), ref: 00380863
LeaveCriticalSection.KERNEL32(?), ref: 003808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00380921

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d4c4e621601db6c3b3c6e6675023b8e3467d8eb11ac8a11f2b982eb9564ea624
Instruction ID: d0378aa5fb95d12d72e4d30508282c34293e6dd70d89b4c4c333780b22fc75e5
Opcode Fuzzy Hash: d4c4e621601db6c3b3c6e6675023b8e3467d8eb11ac8a11f2b982eb9564ea624
Instruction Fuzzy Hash: 87414C71A00205EFDF16AF54DC85A6AB778FF05310F1540A9ED00AE296D730DE55DBA0

Function 003A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0036F3AB,00000000,?,?,00000000,?,0036682C,00000004,00000000,00000000), ref: 003A824C
EnableWindow.USER32(?,00000000), ref: 003A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003A82D1
ShowWindow.USER32(?,00000004), ref: 003A82E5
EnableWindow.USER32(?,00000001), ref: 003A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003A832F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d5db8c31fc30e1a12413067f7b2623851f0ec581047100390700f68e1fbbff9d
Instruction ID: ec6947bf2337505dd910e8695a9e22b4e8dddf150a29ddb89497c2b4888c6ea5
Opcode Fuzzy Hash: d5db8c31fc30e1a12413067f7b2623851f0ec581047100390700f68e1fbbff9d
Instruction Fuzzy Hash: 1C418038601644EFDF27CF15D899BA47BF4FB0B714F1952A9E6484F2A2CB31A851CB90

Function 00374C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00374C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00374CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00374CEA
_wcslen.LIBCMT ref: 00374D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00374D10
_wcsstr.LIBVCRUNTIME ref: 00374D1A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 97312024d38dc39e6a16b5fa40d8ec80ee971aabb9074983a5a39d589af874b3
Instruction ID: a691cd891e489e9bd3c4155da78c35ec689b67eaa78c43d28ee8494f1ba13b62
Opcode Fuzzy Hash: 97312024d38dc39e6a16b5fa40d8ec80ee971aabb9074983a5a39d589af874b3
Instruction Fuzzy Hash: 5F21DA31204115BBEB379B39AC45E7BBBACDF46750F158079F809CA162EB65EC0096A0

Function 0038581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00313AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00313A97,?,?,00312E7F,?,?,?,00000000), ref: 00313AC2

_wcslen.LIBCMT ref: 0038587B
CoInitialize.OLE32(00000000), ref: 00385995
CoCreateInstance.OLE32(003AFCF8,00000000,00000001,003AFB68,?), ref: 003859AE
CoUninitialize.OLE32 ref: 003859CC

Strings

.lnk, xrefs: 00385876, 003858C1, 00385985

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: fb98207d482c3790c2542d7ffd7d4b834e0a01f98721f3aef57edf1636492b6b
Instruction ID: ae4cb3e50489c58f211d00b3502c38c141b8ba52e29302e0549ef7f5a8c88095
Opcode Fuzzy Hash: fb98207d482c3790c2542d7ffd7d4b834e0a01f98721f3aef57edf1636492b6b
Instruction Fuzzy Hash: B9D154756087019FC71AEF24C480A6ABBF6EF89710F154899F88A9B361D731EC45CB92

Function 0037175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00370FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00370FCA
Part of subcall function 00370FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00370FD6
Part of subcall function 00370FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00370FE5
Part of subcall function 00370FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00370FEC
Part of subcall function 00370FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00371002

GetLengthSid.ADVAPI32(?,00000000,00371335), ref: 003717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003717BA
HeapAlloc.KERNEL32(00000000), ref: 003717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003717DA
GetProcessHeap.KERNEL32(00000000,00000000,00371335), ref: 003717EE
HeapFree.KERNEL32(00000000), ref: 003717F5

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b142ea5cadd9dbcac33438bfa5c1ff590436712c29a0102b80ae6154c107be98
Instruction ID: 752637d315e3a0c01a5e8cb63086a71d3b8920405eaa6dccee89bdb6a78deca9
Opcode Fuzzy Hash: b142ea5cadd9dbcac33438bfa5c1ff590436712c29a0102b80ae6154c107be98
Instruction Fuzzy Hash: C3118E72610205FFDB3A9FA8CC49BAE7BADEB46355F118018F44597210D73AA944CB60

Function 003714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00371506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00371515
CloseHandle.KERNEL32(00000004), ref: 00371520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0037154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00371563

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5ed4c9480f32e652d499e6fcb7bee7cc6a2a54c4a3743365289d499a8b1e76c1
Instruction ID: 789414152e6d3f79e99ec4baa81defc6784ce0562dbb384eb2b0db66684a1b49
Opcode Fuzzy Hash: 5ed4c9480f32e652d499e6fcb7bee7cc6a2a54c4a3743365289d499a8b1e76c1
Instruction Fuzzy Hash: AB112976500209AFDF22CF98DD49BDE7BADEF49754F058015FA09A2160C37ACE64DB60

Function 00333382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00333379,00332FE5), ref: 00333390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0033339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003333B7
SetLastError.KERNEL32(00000000,?,00333379,00332FE5), ref: 00333409

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 389740da68659384c949ae5dcbb3ee5685be6c591344ed68247c52de4bcfc9a8
Instruction ID: 47ce30c2bf293c721f3c6b101635ce2ec070579f7ee67110e9f8efa63043937a
Opcode Fuzzy Hash: 389740da68659384c949ae5dcbb3ee5685be6c591344ed68247c52de4bcfc9a8
Instruction Fuzzy Hash: 9E01F73772E312BEEA2727757CC66676B9CEB05379F20C22AF410892F0EF218E019544

Function 00342D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00345686,00353CD6,?,00000000,?,00345B6A,?,?,?,?,?,0033E6D1,?,003D8A48), ref: 00342D78
_free.LIBCMT ref: 00342DAB
_free.LIBCMT ref: 00342DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0033E6D1,?,003D8A48,00000010,00314F4A,?,?,00000000,00353CD6), ref: 00342DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0033E6D1,?,003D8A48,00000010,00314F4A,?,?,00000000,00353CD6), ref: 00342DEC
_abort.LIBCMT ref: 00342DF2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 965b2e46585a4cf37595c6c29df7248cacacde4c9953405a98399eac47b8ce08
Instruction ID: d19e96f6f37617ba6b8873e13c3924e8967385e3d77c8e7c3d459caf3679daa1
Opcode Fuzzy Hash: 965b2e46585a4cf37595c6c29df7248cacacde4c9953405a98399eac47b8ce08
Instruction Fuzzy Hash: E0F02835915A0127C6132339BC0AF5F26DDAFC37A0F660419F834BE1D2EF74B8014120

Function 003A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00329639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00329693
Part of subcall function 00329639: SelectObject.GDI32(?,00000000), ref: 003296A2
Part of subcall function 00329639: BeginPath.GDI32(?), ref: 003296B9
Part of subcall function 00329639: SelectObject.GDI32(?,00000000), ref: 003296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 003A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 003A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 003A8A70
LineTo.GDI32(?,00000000,00000003), ref: 003A8A80
EndPath.GDI32(?), ref: 003A8A90
StrokePath.GDI32(?), ref: 003A8AA0

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5421802770ed7af75bc3ca1a27e617f331b8f0ab59359228ec8bbc2715ef0cb3
Instruction ID: 4ae814c02089ffe51fe223107bd4bcbfba053223d29f4d47621e189453a97344
Opcode Fuzzy Hash: 5421802770ed7af75bc3ca1a27e617f331b8f0ab59359228ec8bbc2715ef0cb3
Instruction Fuzzy Hash: 5A11C57600015DFFEB129F94DC88EAA7FADEB09354F048022BA199A1A1C7719D55DBA0

Function 003751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00375218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00375229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00375230
ReleaseDC.USER32(00000000,00000000), ref: 00375238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0037524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00375261

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0d8088b64d736da37de79c5c00d7767738d1fe750b475ee0dfba5e9affbbfacc
Instruction ID: 028e223e7c74bdf7323614dcafcd55d45ac978caa66d6c27c1b98d37eb6e0997
Opcode Fuzzy Hash: 0d8088b64d736da37de79c5c00d7767738d1fe750b475ee0dfba5e9affbbfacc
Instruction Fuzzy Hash: 49014F75A01718BBEB119BA59C49B5EBFB8EB49751F048465FA04AB291D6709C00CBA0

Function 00311BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00311BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00311BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00311C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00311C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00311C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00311C22

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a382cc1d4e4583cf4d2a4eba85750cba009e5c5a72f34d08f6095248960b68d0
Instruction ID: f94ecce3626866135b9bf36e766db532f0c097127c1896eed1194ba14c720be7
Opcode Fuzzy Hash: a382cc1d4e4583cf4d2a4eba85750cba009e5c5a72f34d08f6095248960b68d0
Instruction Fuzzy Hash: F30167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0037EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0037EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0037EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0037EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0037EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0037EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0037EB75

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2b5d0d959466103ad937cc5a3e67780bd0e8f8ad80c75a87983cf27299bbfd35
Instruction ID: e04f6571d41286cddd3284f0b8895d4775ac555bdee261ab53834bbd30cea7af
Opcode Fuzzy Hash: 2b5d0d959466103ad937cc5a3e67780bd0e8f8ad80c75a87983cf27299bbfd35
Instruction Fuzzy Hash: 16F05E72250158BBE7229B629C0EEEF7E7CEFCBB11F005159F601D11A1EBA45A01C6B5

Function 00367439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00367452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00367469
GetWindowDC.USER32(?), ref: 00367475
GetPixel.GDI32(00000000,?,?), ref: 00367484
ReleaseDC.USER32(?,00000000), ref: 00367496
GetSysColor.USER32(00000005), ref: 003674B0

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 0d134a223547765feefebec5b2dca32785f2f249cf80cd801ad3710143b91760
Instruction ID: 97d47c52057a2a16e6025ad3c7809ed0e8913f75b337f5a1c6b3ccebf8768361
Opcode Fuzzy Hash: 0d134a223547765feefebec5b2dca32785f2f249cf80cd801ad3710143b91760
Instruction Fuzzy Hash: 5A018631410215EFEB139FA5DD08BEABBBAFB06321F655160F926A21B0CF311E41EB50

Function 00371874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0037187F
UnloadUserProfile.USERENV(?,?), ref: 0037188B
CloseHandle.KERNEL32(?), ref: 00371894
CloseHandle.KERNEL32(?), ref: 0037189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003718A5
HeapFree.KERNEL32(00000000), ref: 003718AC

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ecf87efe7bd7584d920859b41a7598b8cf4a53cc58f01c53118889c21ead365b
Instruction ID: 382451c9fe54c3e4cfd5324eecf06adf4d18239385e7936c6e90879c3d9e1192
Opcode Fuzzy Hash: ecf87efe7bd7584d920859b41a7598b8cf4a53cc58f01c53118889c21ead365b
Instruction Fuzzy Hash: E8E0C236214101BBDA025BA1ED0C90ABB6DFB4BB22B109220F225810B0CB369421DF50

Function 0031BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0031BEB3

Strings

D%>D%>, xrefs: 0031BCA5
D%>, xrefs: 0031BCA2
D%>, xrefs: 0031BE9A
D%>, xrefs: 0031BDED, 0031BD91, 0031BD1B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%>$D%>$D%>$D%>D%>
API String ID: 1385522511-3314971793
Opcode ID: 8e39cd025203555edb02d22d442dfcaf7644d17aa372e93fd72f3770cd8828f7
Instruction ID: 26949a4f4d4347c99426c8ebc3e58dcfd9456f0faabf98359b27b4f1c697cf60
Opcode Fuzzy Hash: 8e39cd025203555edb02d22d442dfcaf7644d17aa372e93fd72f3770cd8828f7
Instruction Fuzzy Hash: C3912475A0020ACFCB19CF59D0906EAFBB5FF5D310F25816AD946AB390E731A981CBD0

Function 00397B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00330242: EnterCriticalSection.KERNEL32(003E070C,003E1884,?,?,0032198B,003E2518,?,?,?,003112F9,00000000), ref: 0033024D
Part of subcall function 00330242: LeaveCriticalSection.KERNEL32(003E070C,?,0032198B,003E2518,?,?,?,003112F9,00000000), ref: 0033028A

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 003300A3: __onexit.LIBCMT ref: 003300A9

__Init_thread_footer.LIBCMT ref: 00397BFB

Part of subcall function 003301F8: EnterCriticalSection.KERNEL32(003E070C,?,?,00328747,003E2514), ref: 00330202
Part of subcall function 003301F8: LeaveCriticalSection.KERNEL32(003E070C,?,00328747,003E2514), ref: 00330235

Strings

G, xrefs: 00397C7F
Variable must be of type 'Object'., xrefs: 00397C3A
+T6, xrefs: 00397E2E
5, xrefs: 00397C78

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T6$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1547236106
Opcode ID: 7e678c828c41cfdd7b56b723a4206be78100b563da4fc820e254f04a6445a6bf
Instruction ID: 9816ea1ce9b1547a2438f84cb173540810dac1c8bde6061e25710b5aa71a69e1
Opcode Fuzzy Hash: 7e678c828c41cfdd7b56b723a4206be78100b563da4fc820e254f04a6445a6bf
Instruction Fuzzy Hash: 1C918C74A14209EFCF16EF54D891DADB7B5FF49300F148059F8069B292DB71AE81CB51

Function 0037C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00317620: _wcslen.LIBCMT ref: 00317625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0037C6EE
_wcslen.LIBCMT ref: 0037C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0037C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0037C7CA

Strings

0, xrefs: 0037C6AF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f8879dd173bb0adf63fbded988bc12fa3b74d821d060c80ac9df03f8bae88a87
Instruction ID: 7014097682c613182bdf5636cf6257ea30e735341f3f5f32a876b3fee9569795
Opcode Fuzzy Hash: f8879dd173bb0adf63fbded988bc12fa3b74d821d060c80ac9df03f8bae88a87
Instruction Fuzzy Hash: 7E51F3716243809FC72B9F28C885B6B77E8AF49310F04AA2DF599E71D1DB78D804CB52

Function 0039AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0039AEA3

Part of subcall function 00317620: _wcslen.LIBCMT ref: 00317625

GetProcessId.KERNEL32(00000000), ref: 0039AF38
CloseHandle.KERNEL32(00000000), ref: 0039AF67

Strings

<, xrefs: 0039AE6B
@, xrefs: 0039AE72

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d6a5b12dc7577badd565ef8aad18d7ed2ec1bd61234ce4426485dd246a28481b
Instruction ID: b2aaffabf03a468c5dc8c3efa0c36b1aac724cb5bbf2db9a68a4f9972a81f6d8
Opcode Fuzzy Hash: d6a5b12dc7577badd565ef8aad18d7ed2ec1bd61234ce4426485dd246a28481b
Instruction Fuzzy Hash: B2715575A00619DFCF16EF54C494A9EBBF1BF08310F058599E816AB292CB74ED81CB91

Function 0037719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00377206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0037723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0037724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003772CF

Strings

DllGetClassObject, xrefs: 00377242

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f431f34ff75480920b75c460d67ca2c645adcd1e978208763a33228493810aee
Instruction ID: 4fbf2a3afdad673e0acfc9569c4c93501e0f7402d90d10233470b1c75b9cd430
Opcode Fuzzy Hash: f431f34ff75480920b75c460d67ca2c645adcd1e978208763a33228493810aee
Instruction Fuzzy Hash: FD416D71A04204EFDB26CF54C884A9A7BB9EF45310F15C4A9FD19DF20AD7B9D944CBA0

Function 003A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003A2F8D
LoadLibraryW.KERNEL32(?), ref: 003A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003A2FA9
DestroyWindow.USER32(?), ref: 003A2FB1

Strings

SysAnimate32, xrefs: 003A2F68

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5e7cf5307b9c2c9310cf66c3e6f13a65ac12bb24b05a9890b6bc3ae272c16914
Instruction ID: d0ee9329eb0742eee729a1a5b4438d76032f8d6fe1557d3fb277501ffa065890
Opcode Fuzzy Hash: 5e7cf5307b9c2c9310cf66c3e6f13a65ac12bb24b05a9890b6bc3ae272c16914
Instruction Fuzzy Hash: E721FD72204209AFEF128FA8DC84FBB77BDEB5A364F110218F910D61A0D731DC819760

Function 00334D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00334D1E,003428E9,?,00334CBE,003428E9,003D88B8,0000000C,00334E15,003428E9,00000002), ref: 00334D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00334DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00334D1E,003428E9,?,00334CBE,003428E9,003D88B8,0000000C,00334E15,003428E9,00000002,00000000), ref: 00334DC3

Strings

mscoree.dll, xrefs: 00334D86
CorExitProcess, xrefs: 00334D98

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fbee2ac513caa28404f3a1f7781f7f3041504aa32400056055242d4ee0b8b30c
Instruction ID: f4a7ada99ffae214ff254f82fdfedc581494288d18dfbf81810a05c959481e47
Opcode Fuzzy Hash: fbee2ac513caa28404f3a1f7781f7f3041504aa32400056055242d4ee0b8b30c
Instruction Fuzzy Hash: 3CF04F34A50208BBDB169F94DC89BEEBFF9EF44752F0101A4F906A2261CF74AD40CA90

Function 00314E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00314EDD,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00314EAE
FreeLibrary.KERNEL32(00000000,?,?,00314EDD,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00314EA8
kernel32.dll, xrefs: 00314E94

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 95512b85e3b6b07a979e37ab02ee23ccdb991990653c1ed37dd4225f2a71a6c5
Instruction ID: 7ff543e299d58cfc0816ee12a94d8e4c5db83d46acb1bfd241ed3caa0ae577f8
Opcode Fuzzy Hash: 95512b85e3b6b07a979e37ab02ee23ccdb991990653c1ed37dd4225f2a71a6c5
Instruction Fuzzy Hash: A1E0C236B126225BD2371B25BC18BEFA69CEF87F62F060115FC05E2200DB60CD4284B1

Function 00314E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00353CDE,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00314E74
FreeLibrary.KERNEL32(00000000,?,?,00353CDE,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E87

Strings

kernel32.dll, xrefs: 00314E5B
Wow64RevertWow64FsRedirection, xrefs: 00314E6E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: db31c36b15a52160c17d7f7c255a6b76690f13ef73890c29212bbd2bfbbc5bec
Instruction ID: f317d0486092c98161376f4413cc37eae33aa5b299ab3a5a37a47aa9639bad79
Opcode Fuzzy Hash: db31c36b15a52160c17d7f7c255a6b76690f13ef73890c29212bbd2bfbbc5bec
Instruction Fuzzy Hash: E4D012366126225756271B257C18DCB6A1CEF8BB517061615F905A2114CF61CD4285F0

Function 00382947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00382C05
DeleteFileW.KERNEL32(?), ref: 00382C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00382C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00382CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00382CC0

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c9f266d6f2a6d014b2095a5b776b24622fe50fb98d20d66c425ce34afbd247b9
Instruction ID: e92697616ff179945c53346cf50eead851fedb637cede971d5c3588be4373122
Opcode Fuzzy Hash: c9f266d6f2a6d014b2095a5b776b24622fe50fb98d20d66c425ce34afbd247b9
Instruction Fuzzy Hash: A7B15E72D01219ABDF16EBA4CC85EEFB7BDEF49310F1040A6F509EA151EB319A448F61

Function 0039A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0039A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0039A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0039A468
CloseHandle.KERNEL32(?), ref: 0039A63D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d0f961d03b0193e5a70066c6cc7e8c2b54e567f16fb2a1de7ec87c6ddd2e48b0
Instruction ID: 8d22512483b1f1f5c87fa21f014d6575e121135b80e74c73f24f17c63ab29140
Opcode Fuzzy Hash: d0f961d03b0193e5a70066c6cc7e8c2b54e567f16fb2a1de7ec87c6ddd2e48b0
Instruction Fuzzy Hash: A6A1B0716047009FDB25DF24D886F2AB7E5AF88714F15891CF99A9B2D2DB70EC41CB82

Function 0034BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003B3700), ref: 0034BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,003E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0034BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,003E1270,000000FF,?,0000003F,00000000,?), ref: 0034BC36
_free.LIBCMT ref: 0034BB7F

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 0034BD4B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9bd83e4bd93c52717d94338357b101d1c52b524927d04c04a33f741b7a5ed21a
Instruction ID: 3e4ae887b3a2b9688f341415718704e95179bd5095ccd7c573a3161dcdf83349
Opcode Fuzzy Hash: 9bd83e4bd93c52717d94338357b101d1c52b524927d04c04a33f741b7a5ed21a
Instruction Fuzzy Hash: 5B51B271900219ABCB27EF659CC19AEF7FCEB41310F11066AE554EF1A1EB30EE418B90

Function 0037E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0037DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0037CF22,?), ref: 0037DDFD

Part of subcall function 0037DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0037CF22,?), ref: 0037DE16

Part of subcall function 0037E199: GetFileAttributesW.KERNEL32(?,0037CF95), ref: 0037E19A

lstrcmpiW.KERNEL32(?,?), ref: 0037E473
MoveFileW.KERNEL32(?,?), ref: 0037E4AC
_wcslen.LIBCMT ref: 0037E5EB
_wcslen.LIBCMT ref: 0037E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0037E650

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 266362286509e73d4ecd4bbc08831b178cddab1d4dcae43424356333dc95e426
Instruction ID: d7bd76ae43c35978c3178f73837bc70ae39ed63cc895c293e1c30e0da243bdb0
Opcode Fuzzy Hash: 266362286509e73d4ecd4bbc08831b178cddab1d4dcae43424356333dc95e426
Instruction Fuzzy Hash: B65185B24083459BC736DB90DC91ADF73ECAF89340F00495EF689D7151EF78A5888B66

Function 0039B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 0039C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039C9F1
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA68
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0039BB63
RegCloseKey.ADVAPI32(?,?), ref: 0039BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0039BBB3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 88ef357a44a42e5309a96804f3bcc6f85f8b3eee9188c3706d172bd9ff076c3f
Instruction ID: b670391c56359a9f06eff0a2fadbc255b30c8791c79852d987c3e788085eaea3
Opcode Fuzzy Hash: 88ef357a44a42e5309a96804f3bcc6f85f8b3eee9188c3706d172bd9ff076c3f
Instruction Fuzzy Hash: 1461A031208241AFD71ADF14C590E6AFBE9FF84308F15859DF4998B2A2DB31ED45CB92

Function 00378BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00378BCD
VariantClear.OLEAUT32 ref: 00378C3E
VariantClear.OLEAUT32 ref: 00378C9D
VariantClear.OLEAUT32(?), ref: 00378D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00378D3B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2c72f19076164cd395abf33237172877dfc98dc623f91534d889d7856b808a09
Instruction ID: a11845ac98891a9bbcba4a63fe4c43cc897c113f31924ca04c78481cfcc2a683
Opcode Fuzzy Hash: 2c72f19076164cd395abf33237172877dfc98dc623f91534d889d7856b808a09
Instruction Fuzzy Hash: F65169B5A00219EFCB25CF68C894AAAB7F8FF8D314F158559E909DB350E734E911CB90

Function 00388AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00388BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00388BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00388C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00388C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00388C5F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 2cc9f58cf9a682aa1ca259753f6375acae2a9629916c088f407873c77125e739
Instruction ID: 6367c4866a03106b159da853d27a77a1eb08ddc099865455b0098b118598b61e
Opcode Fuzzy Hash: 2cc9f58cf9a682aa1ca259753f6375acae2a9629916c088f407873c77125e739
Instruction Fuzzy Hash: F8513C35A002159FCB16EF64C881AADBBF5FF49314F098498E849AF362DB35ED51CB90

Function 00398EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00398F40
GetProcAddress.KERNEL32(00000000,?), ref: 00398FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00398FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00399032
FreeLibrary.KERNEL32(00000000), ref: 00399052

Part of subcall function 0032F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00381043,?,7644E610), ref: 0032F6E6
Part of subcall function 0032F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0036FA64,00000000,00000000,?,?,00381043,?,7644E610,?,0036FA64), ref: 0032F70D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ed652674ed386bca77447133e01c0faf037c07d47aa6e431087e73dac1810c0f
Instruction ID: da528a1de6d0dc55825a77616d04315947985ee0310fab3e6c4d54507a7e6eb7
Opcode Fuzzy Hash: ed652674ed386bca77447133e01c0faf037c07d47aa6e431087e73dac1810c0f
Instruction Fuzzy Hash: 9B513935604205DFCB16DF58C4949ADBBF1FF4A314B0980A9E81A9F762DB31ED86CB90

Function 003A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 003A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 003A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 003A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0038AB79,00000000,00000000), ref: 003A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003A6CC7

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 5db333845e7fe5464fca242eb061961bd4c1a60126213d5023976f2f8f8f4416
Instruction ID: c503a68f67a64bbaf55df0ce00d79db85fe9ad063b12625e19bf4323659857a6
Opcode Fuzzy Hash: 5db333845e7fe5464fca242eb061961bd4c1a60126213d5023976f2f8f8f4416
Instruction Fuzzy Hash: 2541EA35604104AFD726DF38CC56FA97BA9EB0B360F1A0228F855A72E1C771ED41C650

Function 00342051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003420C3
_free.LIBCMT ref: 003420E3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 69c4b249dc5d1709a41593422a044b050af699eee0ac39a24f3547999b3f137e
Instruction ID: 94b995ba599be5ee327f641fd6092034e3060238542de04ec95af1fe678f3a3d
Opcode Fuzzy Hash: 69c4b249dc5d1709a41593422a044b050af699eee0ac39a24f3547999b3f137e
Instruction Fuzzy Hash: 0A41AD32A002009FDB26DF68C881A5EB7E5EF89714F5645A9F615EF296DA31BD01CB80

Function 0032912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00329141
ScreenToClient.USER32(00000000,?), ref: 0032915E
GetAsyncKeyState.USER32(00000001), ref: 00329183
GetAsyncKeyState.USER32(00000002), ref: 0032919D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 00c5dadc2806eee8f7314bd5f49455525dd2ae9d9045db95fa8316416b9f5704
Instruction ID: 42e7e3f441ef98509741929f927b259eeb647514b3f9581041b1afd39c6d8450
Opcode Fuzzy Hash: 00c5dadc2806eee8f7314bd5f49455525dd2ae9d9045db95fa8316416b9f5704
Instruction Fuzzy Hash: 0341617190861AFBDF169F69D848BEEB774FF06324F208216E425A72D4C7346950CF91

Function 00383874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00383922
TranslateMessage.USER32(?), ref: 0038394B
DispatchMessageW.USER32(?), ref: 00383955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00383966

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: a3431724edc9250a4b3d779543ddc35396b92f4ce7194d4259d4f6de56d1aa81
Instruction ID: 073d22d4087f451eb6c282895ead08ecd71159f5a2d62d91124d52e634c8598a
Opcode Fuzzy Hash: a3431724edc9250a4b3d779543ddc35396b92f4ce7194d4259d4f6de56d1aa81
Instruction Fuzzy Hash: 6131E7719043859EEB37EB35D848BB637ACEB06700F0506EDE466872E0E7F49A85CB11

Function 0038CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0038C21E,00000000), ref: 0038CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0038CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0038C21E,00000000), ref: 0038CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0038C21E,00000000), ref: 0038CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0038C21E,00000000), ref: 0038CFF2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3fcd0e16b6fb6230353df31b0efa0454df5147100bca71a20f68589e5c6a5fdc
Instruction ID: d18602e79a351f7474f8919ec46c92e8d4c72590b256c5450c056efe4e426235
Opcode Fuzzy Hash: 3fcd0e16b6fb6230353df31b0efa0454df5147100bca71a20f68589e5c6a5fdc
Instruction Fuzzy Hash: 93318E71524305EFEB22EFA5D884AABBBFDEB04310F1054AEF606D6141DB30AE40DB60

Function 00371901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00371915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003719E2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 569cee0300770646de4031bedbf009ee4ae2a9a0f5a340226b1be786f20e86f2
Instruction ID: c281247dba546e31943b562ba6e6f9b3397a0abfcda0cc01aa0e7af360eb8961
Opcode Fuzzy Hash: 569cee0300770646de4031bedbf009ee4ae2a9a0f5a340226b1be786f20e86f2
Instruction Fuzzy Hash: 8531F672A00219EFCB11CFACCD98ADE7BB5EB06314F008225FA25A72D0C3749D45CB90

Function 003A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 003A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 003A579D
_wcslen.LIBCMT ref: 003A57AF
_wcslen.LIBCMT ref: 003A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 003A5816

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6172f6e2bce5f13056dac6ce38c5bfc064ac5da1862c2edcf2fbe541ca6c7133
Instruction ID: ae2f5021788fecca69a59ee2f3bf0c1f8fa444c693f40725eb75586349f6c48d
Opcode Fuzzy Hash: 6172f6e2bce5f13056dac6ce38c5bfc064ac5da1862c2edcf2fbe541ca6c7133
Instruction Fuzzy Hash: B4218271904618DADB229FA1CC85AEEB7BCFF06724F108216F929EA1C0D7719985CF50

Function 00390930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00390951
GetForegroundWindow.USER32 ref: 00390968
GetDC.USER32(00000000), ref: 003909A4
GetPixel.GDI32(00000000,?,00000003), ref: 003909B0
ReleaseDC.USER32(00000000,00000003), ref: 003909E8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 48308a26688dea3bd12a7052cdd0131db5f26a411b46a3cc7c00815a2e1f72f7
Instruction ID: 7215b9532e2f8e575736b5ec04b9a8940ab8182a9ca91739b6f77a3a6248354b
Opcode Fuzzy Hash: 48308a26688dea3bd12a7052cdd0131db5f26a411b46a3cc7c00815a2e1f72f7
Instruction Fuzzy Hash: B7219335600204AFDB05EF65C984AAEBBF9EF49700F048468F84AEB762DB30AC44CB50

Function 0034CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0034CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0034CDE9

Part of subcall function 00343820: RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0034CE0F
_free.LIBCMT ref: 0034CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0034CE31

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: dcc0ad4b5f5509e8d4056caae4b8b242fa860d4b97c3cf2215aa4a571f8420f7
Instruction ID: fa92117d372f62cf7f67669c041b5e95ea4da123affbe14931c7b5000486b185
Opcode Fuzzy Hash: dcc0ad4b5f5509e8d4056caae4b8b242fa860d4b97c3cf2215aa4a571f8420f7
Instruction Fuzzy Hash: 1D01D8726132157F676316B66C48C7B69EDDEC7BA23151129F905CF100DF619D0191B0

Function 00329639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00329693
SelectObject.GDI32(?,00000000), ref: 003296A2
BeginPath.GDI32(?), ref: 003296B9
SelectObject.GDI32(?,00000000), ref: 003296E2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4ef680ab67512aa88c6eedc3505784bf002f65b1a751c65dc9649ca449931588
Instruction ID: c69c109554d5ca4bc8ed45e1f80686326318098b77fbebad973b2a4269b2ce4d
Opcode Fuzzy Hash: 4ef680ab67512aa88c6eedc3505784bf002f65b1a751c65dc9649ca449931588
Instruction Fuzzy Hash: C7217C31812359EFDB239F24EC98BA93BACBB01325F114316F410AA1E2D3749891CFD0

Function 00375711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00375726
_memcmp.LIBVCRUNTIME ref: 00375744
_memcmp.LIBVCRUNTIME ref: 00375757
_memcmp.LIBVCRUNTIME ref: 0037576F
_memcmp.LIBVCRUNTIME ref: 00375787

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: de4f8549b0532f513c03cf5dc2327a3022b217f1e60dd121543e050600bc9ef5
Instruction ID: d8b53cf822ea6bb3e2f054f2aec621bc952fbe455b9131284af82ca2d64a01d2
Opcode Fuzzy Hash: de4f8549b0532f513c03cf5dc2327a3022b217f1e60dd121543e050600bc9ef5
Instruction Fuzzy Hash: E30192A5641A49BEE22E55119DC2FFA635CDB363A4F008020FD089E641F7A5ED1082A0

Function 00342DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0033F2DE,00343863,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6), ref: 00342DFD
_free.LIBCMT ref: 00342E32
_free.LIBCMT ref: 00342E59
SetLastError.KERNEL32(00000000,00311129), ref: 00342E66
SetLastError.KERNEL32(00000000,00311129), ref: 00342E6F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4e91447bb4bfa00285bcb77cfa53b0645d4984ea54cbe6a94d825264e6b45009
Instruction ID: 344926ae3d85f0245be9dfd4c1496c15a687798cce030645f7c70507c9398cd9
Opcode Fuzzy Hash: 4e91447bb4bfa00285bcb77cfa53b0645d4984ea54cbe6a94d825264e6b45009
Instruction Fuzzy Hash: 6401F436255A0177CA1367356C85D2B26EDABD23A1BE60429F421FE2E2EF74EC818120

Function 0037000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?,?,0037035E), ref: 0037002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?), ref: 00370064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370070

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3fe1afe8e63e8575f4654efb57d1859d5fea6de491d33eb87405614ec6bc9480
Instruction ID: cc52d9045a7d2f8db66d3e2f4b9a7b7c0bca12182f01e113af9afacc2e38855c
Opcode Fuzzy Hash: 3fe1afe8e63e8575f4654efb57d1859d5fea6de491d33eb87405614ec6bc9480
Instruction Fuzzy Hash: 7001AD76610204FFDB264F68DC04BAE7AEDEF447A2F149128F909D2210EB79DD409BA0

Function 0037E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0037E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0037E9A5
Sleep.KERNEL32(00000000), ref: 0037E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0037E9B7
Sleep.KERNEL32 ref: 0037E9F3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1ff5819c633cdddd75b04a16db5e9f51ab7733e596e2766b5e8a2235ce6c8f68
Instruction ID: de659ed7ab52248c4156aff6a3149410e6c6f0fda1395336e89424348697ad00
Opcode Fuzzy Hash: 1ff5819c633cdddd75b04a16db5e9f51ab7733e596e2766b5e8a2235ce6c8f68
Instruction Fuzzy Hash: 12015B32D11529DBCF129BE4D849ADDBB78BF0E301F014586E606B2241CB389555CB61

Function 003710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00371114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 0037112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0037114D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b8b61a2d00a3c2903edc0f61805dec3c6ba87b2358eddbe4d672442e745b0b7d
Instruction ID: 4fea2da1b2e5ee7805c032ae5af1b79bc1351d48f465fcbe1d0b2efabfa97050
Opcode Fuzzy Hash: b8b61a2d00a3c2903edc0f61805dec3c6ba87b2358eddbe4d672442e745b0b7d
Instruction Fuzzy Hash: A501197A210205BFDB124FA9DC49A6A3B6EEF8A3A0F614419FA45D7360DA35DD009A60

Function 00370FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00370FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00370FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00370FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00370FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00371002

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 55405dad586e4a55f89dd03163e5d55393e038cc29d35a88921e579c6f436479
Instruction ID: d6586cf50a1766d7735fcab3af0f6d943582baab38c13940e348c05f2f4028bc
Opcode Fuzzy Hash: 55405dad586e4a55f89dd03163e5d55393e038cc29d35a88921e579c6f436479
Instruction Fuzzy Hash: B7F06D3A210305FBDB224FA8DC4DF563BADEF8A762F114414FA49C7291DE74DC508A60

Function 00371014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0037102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00371036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00371045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0037104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00371062

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 420f5da810eec55532fa2c2c629a6bcbed3de27661534cf477c1bb69eaaf05b0
Instruction ID: ca4f4f468b7497f8547a809d15190714618daa2a9114aaded53ce12eb4f2d4d9
Opcode Fuzzy Hash: 420f5da810eec55532fa2c2c629a6bcbed3de27661534cf477c1bb69eaaf05b0
Instruction Fuzzy Hash: 80F06D3A220301FBDB235FA8EC49F563BADEF8A761F114414FA49C7290DE74D8508A60

Function 0038030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 00380324
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 00380331
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 0038033E
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 0038034B
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 00380358
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 00380365

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 20d0dbd0e27555fd8a657ba5cadb9c038a4bf94147720e9951afe829a2210ff5
Instruction ID: d3ebd845975b41114ae673e7f97886529fe311448051857b6def2cc6b7babb9c
Opcode Fuzzy Hash: 20d0dbd0e27555fd8a657ba5cadb9c038a4bf94147720e9951afe829a2210ff5
Instruction Fuzzy Hash: 2401EE7A800B01DFCB32AF66D880802FBF9BF603053068A3FD19252930C3B0A948CF80

Function 0034D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0034D752

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 0034D764
_free.LIBCMT ref: 0034D776
_free.LIBCMT ref: 0034D788
_free.LIBCMT ref: 0034D79A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6e84ca78e4f4150f1309d7e760b1f7aec0d368b1fe58ba5d90679a27d8bd316f
Instruction ID: bfc399fa151fc00e77d954de4c8ca2113cc107b2283395900fadc8dc12f74d00
Opcode Fuzzy Hash: 6e84ca78e4f4150f1309d7e760b1f7aec0d368b1fe58ba5d90679a27d8bd316f
Instruction Fuzzy Hash: 5EF0F932565205AB9663EF69F9C6C1B7BDDBB45710BE61806F048EF512CB30FC908A64

Function 00375C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00375C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00375C6F
MessageBeep.USER32(00000000), ref: 00375C87
KillTimer.USER32(?,0000040A), ref: 00375CA3
EndDialog.USER32(?,00000001), ref: 00375CBD

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a83f8a9f0f0e71fae5bd20c73249c5046730a83f660a2cae2be909e40d7a3054
Instruction ID: c9ebd927354fb8538181687e1eca54f3fcab966aa0d0bac5a6dd4450a95fafb6
Opcode Fuzzy Hash: a83f8a9f0f0e71fae5bd20c73249c5046730a83f660a2cae2be909e40d7a3054
Instruction Fuzzy Hash: 5901D130500B04ABEB3B9B10DD4EFA677FCBB01B01F085159A187A14F0DBF8A9848A90

Function 003422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003422BE

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 003422D0
_free.LIBCMT ref: 003422E3
_free.LIBCMT ref: 003422F4
_free.LIBCMT ref: 00342305

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8fdbb322f06dfde38f21bb553127ccc978adf2d33b3e340159c52a5367d3525a
Instruction ID: 4b4e15e568040e832d305fc2c66ba0443fc7fe953fa817ce60b6971befc8522d
Opcode Fuzzy Hash: 8fdbb322f06dfde38f21bb553127ccc978adf2d33b3e340159c52a5367d3525a
Instruction Fuzzy Hash: 9FF030754211919B9A37AF55BC8180E3BACF719760F851B07F410FE2F1C7712862EBA5

Function 003295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003295D4
StrokeAndFillPath.GDI32(?,?,003671F7,00000000,?,?,?), ref: 003295F0
SelectObject.GDI32(?,00000000), ref: 00329603
DeleteObject.GDI32 ref: 00329616
StrokePath.GDI32(?), ref: 00329631

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7255c6bc76c077b3bd5a91fe74633b36ce586e76979517fb08138347769dd7e8
Instruction ID: 7074139d1cbdf71fa6de2ccd4f5978a2817c40ea32c41f2b77e8a9fe8a87516b
Opcode Fuzzy Hash: 7255c6bc76c077b3bd5a91fe74633b36ce586e76979517fb08138347769dd7e8
Instruction Fuzzy Hash: B0F03C31025248EBDB279F65ED5C7643BA9AB02332F148315F425590F2CB348991DFA0

Function 00340F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003410F9
__freea.LIBCMT ref: 00341117

Part of subcall function 00341537: _free.LIBCMT ref: 0034154F

Strings

a/p, xrefs: 003411DE
am/pm, xrefs: 0034117A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6ba5ae864a4279f82cc43aea1137d5d40fd17f66f03f84df2afaa9da4818b051
Instruction ID: bf7c583f7b891471ac42ef4eee9a754e3054924169e711d811009e0b3c6bea4d
Opcode Fuzzy Hash: 6ba5ae864a4279f82cc43aea1137d5d40fd17f66f03f84df2afaa9da4818b051
Instruction Fuzzy Hash: F2D1F239A10A06CACB2B9F68C895BFAB7F4EF05700F294159E9119FA50D375BDC0CB91

Function 003961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00330242: EnterCriticalSection.KERNEL32(003E070C,003E1884,?,?,0032198B,003E2518,?,?,?,003112F9,00000000), ref: 0033024D
Part of subcall function 00330242: LeaveCriticalSection.KERNEL32(003E070C,?,0032198B,003E2518,?,?,?,003112F9,00000000), ref: 0033028A

Part of subcall function 003300A3: __onexit.LIBCMT ref: 003300A9

__Init_thread_footer.LIBCMT ref: 00396238

Part of subcall function 003301F8: EnterCriticalSection.KERNEL32(003E070C,?,?,00328747,003E2514), ref: 00330202
Part of subcall function 003301F8: LeaveCriticalSection.KERNEL32(003E070C,?,00328747,003E2514), ref: 00330235

Part of subcall function 0038359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003835E4
Part of subcall function 0038359C: LoadStringW.USER32(003E2390,?,00000FFF,?), ref: 0038360A

Strings

x#>, xrefs: 00396353
x#>, xrefs: 0039636F
x#>, xrefs: 0039633A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#>$x#>$x#>
API String ID: 1072379062-1511475485
Opcode ID: f9d90648c845b0bb63fc48dee756455aed3b13e73af4842163ef6f00e1744bf8
Instruction ID: ba98356126d880781d6ff5495e550f8a767f885ff49e5ab1c3c8c32d6ee15d8c
Opcode Fuzzy Hash: f9d90648c845b0bb63fc48dee756455aed3b13e73af4842163ef6f00e1744bf8
Instruction Fuzzy Hash: A3C18C71A00209AFCF16DF98C892EBEB7B9EF49300F158469F9459B291DB70ED45CB90

Function 00345AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO1, xrefs: 00345BA8, 00345C6C

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: JO1
API String ID: 0-2759033588
Opcode ID: 2146230a9eaf7b62b23404a319ccf445576f14dbd0b860c3a8a5c2183cebd64b
Instruction ID: dcf9730d97d1e190e43b0b6ae0685283ebce23e197b33ecde0f3f75ed0b17d1c
Opcode Fuzzy Hash: 2146230a9eaf7b62b23404a319ccf445576f14dbd0b860c3a8a5c2183cebd64b
Instruction Fuzzy Hash: 7D519C75E00609AFCB239FA5C885BAEBBF8EF05310F15015AF405AF292D671AE018B61

Function 00348A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00348B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00348B7A
__dosmaperr.LIBCMT ref: 00348B81

Strings

.3, xrefs: 00348A63

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .3
API String ID: 2434981716-376848344
Opcode ID: e760fc993f21a21839842dd6d2438574abd9d0c6c5e3b8a5c8416df39f49bccb
Instruction ID: 03e80d93b460e6c9e8a2610f61f7c9f0780bd356df70e00c6cd0b117ee06c02c
Opcode Fuzzy Hash: e760fc993f21a21839842dd6d2438574abd9d0c6c5e3b8a5c8416df39f49bccb
Instruction Fuzzy Hash: F9416E70604045AFDB279F28C880A7D7FE9DF46304F2945A9F8858F642DE71AC539790

Function 00372716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0037B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003721D0,?,?,00000034,00000800,?,00000034), ref: 0037B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00372760

Part of subcall function 0037B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0037B3F8

Part of subcall function 0037B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0037B355
Part of subcall function 0037B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00372194,00000034,?,?,00001004,00000000,00000000), ref: 0037B365
Part of subcall function 0037B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00372194,00000034,?,?,00001004,00000000,00000000), ref: 0037B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0037281A

Strings

@, xrefs: 00372832

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2d71bc24485abf964125a76726fb67f5952b679a4713a94bcb7d604de0115ca4
Instruction ID: a64f52a97510e3f573bc7c1485fd7b6e687aa3c059043412830b9bd22b103a87
Opcode Fuzzy Hash: 2d71bc24485abf964125a76726fb67f5952b679a4713a94bcb7d604de0115ca4
Instruction Fuzzy Hash: 3B413D76900218BFDB21DBA4CD41BDEBBB8AF09300F008095FA59B7191DB756E85CBA1

Function 0034172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00341769
_free.LIBCMT ref: 00341834
_free.LIBCMT ref: 0034183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00341760, 00341767, 00341796, 003417CE

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 8c4ae567398cb6a8943b5807a9bfce856f65d26737637d15a9245b9e72f3abec
Instruction ID: b04559281cf0f45cd4b51aaa8e2b22da9bc6b18b74fdb5866a777d09c999abb4
Opcode Fuzzy Hash: 8c4ae567398cb6a8943b5807a9bfce856f65d26737637d15a9245b9e72f3abec
Instruction Fuzzy Hash: 88318D75A00658AFDB23DB99DC81D9EBBFCEB89310F554166F904EF211D670AA80CB90

Function 0037C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0037C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0037C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003E1990,00FD7210), ref: 0037C395

Strings

0, xrefs: 0037C2DF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6cc4b52ba1aa5cdcba2c96663dcaf9095b3827bd5657cda36d12e75a3efb2138
Instruction ID: 3e8ec780f4cdd6687350e544ed9f89619d892cf9f6679909e82b2cc7abb61fc7
Opcode Fuzzy Hash: 6cc4b52ba1aa5cdcba2c96663dcaf9095b3827bd5657cda36d12e75a3efb2138
Instruction Fuzzy Hash: FE41B4352143019FE736DF25D884B5ABBE8AF85320F00DA1DF9699B2D1D738E904CB62

Function 003A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003ACC08,00000000,?,?,?,?), ref: 003A44AA
GetWindowLongW.USER32 ref: 003A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A44D7

Strings

SysTreeView32, xrefs: 003A447C

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 428277a1e99b345b8bc5217ba3477dc07550766e22b51f138ff44a42034c7c53
Instruction ID: f6d90a1cfb0eef6989ecf1844b07781e9c39b43677ce0f81429c100d5bf4cfc2
Opcode Fuzzy Hash: 428277a1e99b345b8bc5217ba3477dc07550766e22b51f138ff44a42034c7c53
Instruction Fuzzy Hash: F031C031210605AFDF268F78DC45BEA77A9EB4A334F214725F975921E0D7B0EC509B50

Function 00376E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00376EED
VariantCopyInd.OLEAUT32(?,?), ref: 00376F08
VariantClear.OLEAUT32(?), ref: 00376F12

Strings

*j7, xrefs: 00376E8B, 00376E90, 00376EF8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j7
API String ID: 2173805711-3979623430
Opcode ID: f6e505f950d568daf070ccb473d42ce404f5f82eb2152a053db23482021417fd
Instruction ID: cd8f08161c2c36bffa9b32ac795dbd33ee54bf2fb6b167e706113360007ce940
Opcode Fuzzy Hash: f6e505f950d568daf070ccb473d42ce404f5f82eb2152a053db23482021417fd
Instruction Fuzzy Hash: F231A471604646DFCB1BAF64E8629BD77BAFF49300B104498F9064F2A1C7389D62EBD4

Function 0039304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0039335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00393077,?,?), ref: 00393378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0039307A
_wcslen.LIBCMT ref: 0039309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00393106

Strings

255.255.255.255, xrefs: 00393095, 0039309A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 04c3ac39012d3c61cb6b75d6e26ed9d18cf7fc2e7b5d60cd3d8ea8c2bb588b2a
Instruction ID: f2babebdc00ab41c8b0a806ab58d6c5d43579380beaff30e19a0f24254ec5885
Opcode Fuzzy Hash: 04c3ac39012d3c61cb6b75d6e26ed9d18cf7fc2e7b5d60cd3d8ea8c2bb588b2a
Instruction Fuzzy Hash: 3831E7B92042019FCF22DF68C485EAA77F4EF15318F258059E9168F7A2D731EE45C761

Function 003A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003A471A

Strings

msctls_updown32, xrefs: 003A4684

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 8283ade1e650cd4fc3adab9e5f44c117d17c0fa0e8321e7cf645072fd202bdef
Instruction ID: 548332c49ae45795bf35e0d6d4a901eb6d011fe7c8fe49bc5f98dc2c00b07812
Opcode Fuzzy Hash: 8283ade1e650cd4fc3adab9e5f44c117d17c0fa0e8321e7cf645072fd202bdef
Instruction Fuzzy Hash: 152192B5600244AFDB12DF68DCC1DB777ADEB8B394B050059F9109B2A1DB71EC11CB60

Function 003795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037961D

Strings

#requireadmin, xrefs: 003795D9
#notrayicon, xrefs: 003795B7
#OnAutoItStartRegister, xrefs: 003795F3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ef2f7181ea0b3fe957194f47c4e1514e178fba61424a77bbb36ad57e28cd96dd
Instruction ID: 71d18f61b7634881238a080b778d96e9cb164399a20a4df211234948ff632cad
Opcode Fuzzy Hash: ef2f7181ea0b3fe957194f47c4e1514e178fba61424a77bbb36ad57e28cd96dd
Instruction Fuzzy Hash: 3B215B7210462166C333BB259C42FF773ECDF56320F158227F94D9B181EB59AD85C295

Function 003A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003A3876

Strings

Listbox, xrefs: 003A380F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 923fb22e0f835f909d3e18d473d962904d0bc195a4ff86aa8bbfddd86cc8473b
Instruction ID: 78d4a30380fd652ec567ff667498fee4f0513fb4a1837a3fd834134c9992ff82
Opcode Fuzzy Hash: 923fb22e0f835f909d3e18d473d962904d0bc195a4ff86aa8bbfddd86cc8473b
Instruction Fuzzy Hash: 6621A472610118BBEF238F54DC85FBB376EEF8A750F118125F9149B190CA76DC5187A0

Function 003849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00384A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00384A5C
SetErrorMode.KERNEL32(00000000,?,?,003ACC08), ref: 00384AD0

Strings

%lu, xrefs: 00384A6F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f3f174c62b42f7b82669fb3ee441e652b4eaa51d87d403723bacb21128f1e161
Instruction ID: fe43045abb3fae3059ce2adc1bac32f37fd19db90d6506f62d3b68d9d9b21125
Opcode Fuzzy Hash: f3f174c62b42f7b82669fb3ee441e652b4eaa51d87d403723bacb21128f1e161
Instruction Fuzzy Hash: 71318071A00209AFDB15DF54C885EAA7BF8EF09304F1480A5E809DF252D775EE45CB61

Function 003A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003A4271

Strings

msctls_trackbar32, xrefs: 003A4226

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 778e1dbeb11241574365073e38e23ef0e6aba8615127cfa68435d1ffdfc949ef
Instruction ID: 58a3ab9ea475a9d5c680697f04a992bd02be4dad36ef21fabe251920a534f737
Opcode Fuzzy Hash: 778e1dbeb11241574365073e38e23ef0e6aba8615127cfa68435d1ffdfc949ef
Instruction Fuzzy Hash: DF110631240248BEEF225F68CC46FAB7BACEFD6B54F020524FA55E60A0D6B1DC519B50

Function 00372F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

Part of subcall function 00372DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00372DC5
Part of subcall function 00372DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00372DD6
Part of subcall function 00372DA7: GetCurrentThreadId.KERNEL32 ref: 00372DDD
Part of subcall function 00372DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00372DE4

GetFocus.USER32 ref: 00372F78

Part of subcall function 00372DEE: GetParent.USER32(00000000), ref: 00372DF9

GetClassNameW.USER32(?,?,00000100), ref: 00372FC3
EnumChildWindows.USER32(?,0037303B), ref: 00372FEB

Strings

%s%d, xrefs: 00372FFF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d66692c05c6df61d6068e8e55d69e3ac4f83dd7104b4dd31ab0ca162a5450aa8
Instruction ID: f8f9dc88392a190facf18a963f74a81af87076331ac9f8f738cf7f5099a24126
Opcode Fuzzy Hash: d66692c05c6df61d6068e8e55d69e3ac4f83dd7104b4dd31ab0ca162a5450aa8
Instruction Fuzzy Hash: CB11E4716002056BCF26BF748CD6EEE37AAAF89304F04C075F90D9F252DE349A459B60

Function 003A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003A58EE
DrawMenuBar.USER32(?), ref: 003A58FD

Strings

0, xrefs: 003A588F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 32b384deb5b08467f7d9dc59f32e60868d076f3bf36547891195c38dc1224016
Instruction ID: eabcb326c4d9d8419776810f65c70210cf989749fba0efa57e0390b4edcbcafc
Opcode Fuzzy Hash: 32b384deb5b08467f7d9dc59f32e60868d076f3bf36547891195c38dc1224016
Instruction Fuzzy Hash: 15011E31510218EFDB129F11EC44BAFBBB8FF46761F1480A9F849DA151DB308A94DF21

Function 0037007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6c83e98d22f137b362692ffd6e6c5f455d7d66162673dc6b52f08510d8caf9
Instruction ID: 9fc689b24bef7e1bbc482a9046526bdf1ee9774cbe3316239a25760b97025185
Opcode Fuzzy Hash: dd6c83e98d22f137b362692ffd6e6c5f455d7d66162673dc6b52f08510d8caf9
Instruction Fuzzy Hash: E3C15B75A0020AEFDB29CFA4C894EAEB7B5FF48704F218598E509EB251D735ED41CB90

Function 0039342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00393459
CoUninitialize.OLE32 ref: 00393463
VariantInit.OLEAUT32(?), ref: 0039346E
VariantClear.OLEAUT32(?), ref: 0039371B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d43fb50c8eea927af395efe56dc0c50f8dc1bda2dfec75515de40a168e00c98c
Instruction ID: 737bad0933f65d3d9abe8e70385458f029f14896ef73c2b83b4173f5cba9532a
Opcode Fuzzy Hash: d43fb50c8eea927af395efe56dc0c50f8dc1bda2dfec75515de40a168e00c98c
Instruction Fuzzy Hash: BFA13A752042109FCB16DF28C485A6AB7E9FF8D714F058859F98A9F362DB30ED41CB91

Function 00370436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003AFC08,?), ref: 003705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003AFC08,?), ref: 00370608
CLSIDFromProgID.OLE32(?,?,00000000,003ACC40,000000FF,?,00000000,00000800,00000000,?,003AFC08,?), ref: 0037062D
_memcmp.LIBVCRUNTIME ref: 0037064E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8f7ddfd567676ace6c9ca50b03a425e66df289c07430449bc120280b3131fbf5
Instruction ID: a712cf8d34cef2dcfc3926570dff0b652435e7582552aac00d16c8d3133b920e
Opcode Fuzzy Hash: 8f7ddfd567676ace6c9ca50b03a425e66df289c07430449bc120280b3131fbf5
Instruction Fuzzy Hash: 9B812971A00109EFCB15DF94C984EEEB7B9FF89315F208598E506AB250DB75AE06CF60

Function 0039A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0039A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0039A6BA

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Process32NextW.KERNEL32(00000000,?), ref: 0039A79C
CloseHandle.KERNEL32(00000000), ref: 0039A7AB

Part of subcall function 0032CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00353303,?), ref: 0032CE8A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: fd680bd2788d11fab9a9494d6330c082dfca3bdf17508cd78cbcca0351648b42
Instruction ID: eb22b27bd217ed42fd645cc568705eac9df75a33ddb9f4ed55ac39beb0f72e24
Opcode Fuzzy Hash: fd680bd2788d11fab9a9494d6330c082dfca3bdf17508cd78cbcca0351648b42
Instruction Fuzzy Hash: FD516F71508310AFD715EF24D886A6BBBF8FF89754F00491DF5899B252EB30D944CB92

Function 00351391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003514C0

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7578f0748e40a0c4974b8586792f1f31be0cb375d3fce4b143e88ae8712efdc4
Instruction ID: cf4d556ba64e6a00883bb0f87dfdb753e8967cd37f8633ad58365c5513f53a06
Opcode Fuzzy Hash: 7578f0748e40a0c4974b8586792f1f31be0cb375d3fce4b143e88ae8712efdc4
Instruction Fuzzy Hash: 28411975A00100ABDB23ABBB9C85FAF3AF8EF42371F154625FC19DE2B2E67448455361

Function 003A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003A62E2
ScreenToClient.USER32(?,?), ref: 003A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 003A6382

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8a5cba754a401ef5f6879b1d125a5200ab83a1d2dca0884366265e62676bc252
Instruction ID: 8c5e88e6ba88cec7179d373c96bdd6b26d6a0c9774beb3fce4ea81739288abaa
Opcode Fuzzy Hash: 8a5cba754a401ef5f6879b1d125a5200ab83a1d2dca0884366265e62676bc252
Instruction Fuzzy Hash: C4514E74A00249EFCF22DF64D881AAE7BB5FF46360F158259F9159B2A1D730ED81CB90

Function 00391AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00391AFD
WSAGetLastError.WSOCK32 ref: 00391B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00391B8A
WSAGetLastError.WSOCK32 ref: 00391B94

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a5a74af65ad8bca13743700060711bd483f8711ede269ae16c9c0c3a82006f8d
Instruction ID: 458c8f0edea159dc9144def4ef53030979663f76846a4c1e99428bb7b15993dd
Opcode Fuzzy Hash: a5a74af65ad8bca13743700060711bd483f8711ede269ae16c9c0c3a82006f8d
Instruction Fuzzy Hash: C341B3346402016FEB26AF24C886F6977E5AB48718F54C448F91A9F3D3D772ED82CB90

Function 0034B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e3a87c936f182760bc588f734bf69048b2425a44122078807ed4c156c2751e
Instruction ID: 2e1035e2f702b756de35e39a51e04b4e8f1fc6cb4d0991bf15ca89a3eb397355
Opcode Fuzzy Hash: 83e3a87c936f182760bc588f734bf69048b2425a44122078807ed4c156c2751e
Instruction Fuzzy Hash: BC410475A00304AFD7269F39C842BAAFBE9EF88710F10452AF515DF692D371E9018B80

Function 003856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00385783
GetLastError.KERNEL32(?,00000000), ref: 003857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003857FA

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e46f73324ccac5473e8ee3d1f2cb3f6a1cf08f9304fe01008be200d06d0a997a
Instruction ID: 09375fb1707581051b1659bbdbd855e7831467273d9c4742ad94e455d4fb5ecf
Opcode Fuzzy Hash: e46f73324ccac5473e8ee3d1f2cb3f6a1cf08f9304fe01008be200d06d0a997a
Instruction Fuzzy Hash: 1941EC35600610DFCB16EF15C545A5DBBF6AF49720B198488E84A5F362CB35FD41CB91

Function 0034D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00336D71,00000000,00000000,003382D9,?,003382D9,?,00000001,00336D71,?,00000001,003382D9,003382D9), ref: 0034D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0034D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0034D9AB
__freea.LIBCMT ref: 0034D9B4

Part of subcall function 00343820: RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e76213e7689067ec976677bc894ac5573b684458c9de91877763bb86bda19f62
Instruction ID: fc47a13910a52e705bf1c9ce7e4f7de4b62bbe3018472a8aaaa8d7badccc18a0
Opcode Fuzzy Hash: e76213e7689067ec976677bc894ac5573b684458c9de91877763bb86bda19f62
Instruction Fuzzy Hash: BC31B072A1020AABDF269F64DC85EAF7BE9EB41710F064168FC04DB150EB35ED54CB90

Function 003A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 003A5352
GetWindowLongW.USER32(?,000000F0), ref: 003A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003A53A8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c7fc9b7372b066ca1c5554c293d608dc35e4e465ec84b0eac939e0732b089c5b
Instruction ID: 571eaf11976dad5779a9007d438b9bce1febec672e90871f48cb7ad703204e43
Opcode Fuzzy Hash: c7fc9b7372b066ca1c5554c293d608dc35e4e465ec84b0eac939e0732b089c5b
Instruction Fuzzy Hash: 3931E238A55A08FFEF379E14CC45BE87769EB87390F594101FA11962E1C7B09980DB41

Function 0037AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0037ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0037AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0037AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0037ACC6

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 96bed013c543187cab73e63957cba487d028471d6c16ab8bd72e2bf2ef42fa12
Instruction ID: 7c435725a2ff38fcf8d483d63fd67dececff49d21054310b0852a4a869480882
Opcode Fuzzy Hash: 96bed013c543187cab73e63957cba487d028471d6c16ab8bd72e2bf2ef42fa12
Instruction Fuzzy Hash: 64311870A04A1A7FEF37CB658805BFE7AA9ABC5310F04D31AE489D61D1C37C89818792

Function 003A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 003A769A
GetWindowRect.USER32(?,?), ref: 003A7710
PtInRect.USER32(?,?,003A8B89), ref: 003A7720
MessageBeep.USER32(00000000), ref: 003A778C

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fe172a4339a02630e843ee4b4e9909edb7b327d1f514e9dc95466599985265fd
Instruction ID: 5d35f91e245c635fd9e7b8833e32a70233421cb79f684b2b90ee5217e41b69ba
Opcode Fuzzy Hash: fe172a4339a02630e843ee4b4e9909edb7b327d1f514e9dc95466599985265fd
Instruction Fuzzy Hash: C2415934A09254DFCB13CF58CDD4EA9B7F9FB4A354F1A41A8E8149F2A1D732A941CB90

Function 003A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003A16EB

Part of subcall function 00373A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00373A57
Part of subcall function 00373A3D: GetCurrentThreadId.KERNEL32 ref: 00373A5E
Part of subcall function 00373A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003725B3), ref: 00373A65

GetCaretPos.USER32(?), ref: 003A16FF
ClientToScreen.USER32(00000000,?), ref: 003A174C
GetForegroundWindow.USER32 ref: 003A1752

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a44db9df7dbc401a65e0b7fa7d20fee2ebc71533262df94fd75e4c54d4625055
Instruction ID: 5e49ade4ecda3d5ca3e860a9d34560ddb3ea1b8b8f0b6bc8e2b0c06c7082cb8c
Opcode Fuzzy Hash: a44db9df7dbc401a65e0b7fa7d20fee2ebc71533262df94fd75e4c54d4625055
Instruction Fuzzy Hash: B2313D75D00249AFCB05EFAAC8858EEBBFDEF49304B5490A9E415EB211D6319E45CBA0

Function 003A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

GetCursorPos.USER32(?), ref: 003A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00367711,?,?,?,?,?), ref: 003A9016
GetCursorPos.USER32(?), ref: 003A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00367711,?,?,?), ref: 003A9094

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d0abf77ac7f6b23dfa7f76c17bc7d4c8a458558fc89e710cbe20d3e06ca486d2
Instruction ID: faf8750341d4ff5e5ba409866c1c8bdb774c9b001e585fd364e97dc0bafb602d
Opcode Fuzzy Hash: d0abf77ac7f6b23dfa7f76c17bc7d4c8a458558fc89e710cbe20d3e06ca486d2
Instruction Fuzzy Hash: 39219F35600018EFCB27CF95D898FEA7BB9EB4B390F144196F9055B2A1C3319D90DB60

Function 0037D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,003ACB68), ref: 0037D2FB
GetLastError.KERNEL32 ref: 0037D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0037D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003ACB68), ref: 0037D376

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0c13fd2504a4985ca8002bf013de70c990ffd22869a705953d24995cc47f91d5
Instruction ID: 4f377cead2149f3216c0fea8dc23e5434af78b2410b75ca8538af53d6fcc6ed9
Opcode Fuzzy Hash: 0c13fd2504a4985ca8002bf013de70c990ffd22869a705953d24995cc47f91d5
Instruction Fuzzy Hash: 7521A3745042019FD726DF24C8819AA77F8EE5A324F108A1DF499C72A1DB35D945CB93

Function 00371571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00371014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0037102A
Part of subcall function 00371014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00371036
Part of subcall function 00371014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00371045
Part of subcall function 00371014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0037104C
Part of subcall function 00371014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00371062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003715BE
_memcmp.LIBVCRUNTIME ref: 003715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00371617
HeapFree.KERNEL32(00000000), ref: 0037161E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d92c8da88d70efb68545de0a987ca9dd51ef9f213d8adcc1ca55514c5f7a0a1c
Instruction ID: e6ba8b653749faede4e3f1dafce13cd3fdce2ef782110cff16d273bb79fd3de8
Opcode Fuzzy Hash: d92c8da88d70efb68545de0a987ca9dd51ef9f213d8adcc1ca55514c5f7a0a1c
Instruction Fuzzy Hash: B421A132E00108EFDF25DFA8C945BEEB7B8EF45354F198459E845AB241E734AA05DF50

Function 003A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 003A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003A2840

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 014c90371e83f37ae5fe363cf3d74dbe856ebb4684bdf27f66bd31f6696aeb42
Instruction ID: 4d956cd9d69d8271d7931cfc63e1e8b2f4a16c756483f747c10ace2ba85ab6f9
Opcode Fuzzy Hash: 014c90371e83f37ae5fe363cf3d74dbe856ebb4684bdf27f66bd31f6696aeb42
Instruction Fuzzy Hash: 4A21C131604511AFD71A9B28C844FAB7B99EF47324F158258F4268B6E2CB75FD82CB90

Function 003778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00378D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0037790A,?,000000FF,?,00378754,00000000,?,0000001C,?,?), ref: 00378D8C
Part of subcall function 00378D7D: lstrcpyW.KERNEL32(00000000,?,?,0037790A,?,000000FF,?,00378754,00000000,?,0000001C,?,?,00000000), ref: 00378DB2
Part of subcall function 00378D7D: lstrcmpiW.KERNEL32(00000000,?,0037790A,?,000000FF,?,00378754,00000000,?,0000001C,?,?), ref: 00378DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00378754,00000000,?,0000001C,?,?,00000000), ref: 00377923
lstrcpyW.KERNEL32(00000000,?,?,00378754,00000000,?,0000001C,?,?,00000000), ref: 00377949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00378754,00000000,?,0000001C,?,?,00000000), ref: 00377984

Strings

cdecl, xrefs: 0037797B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0c0a8b60686f0ba1e9879ab2ddf416f999e543573dbb9245e236e5c28817ea0e
Instruction ID: 3b81e48d2649f6346a732aa3585c4399c33b3ebe4a6d5f43c356a0bf46e2b407
Opcode Fuzzy Hash: 0c0a8b60686f0ba1e9879ab2ddf416f999e543573dbb9245e236e5c28817ea0e
Instruction Fuzzy Hash: EC11D63A201201AFCB275F34D845E7A77A9FF96350B51802AF94ACB2A4EB359811C791

Function 003A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 003A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 003A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0038B7AD,00000000), ref: 003A7D6B

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4676931fab18f8598e3254d63c2b03ecc157acb2a595ff3a2bdd00746df5edf2
Instruction ID: da875cd4594ccb6f0ae7ee9ec18d194f09357cde2c7b01eb4bb796faeda423d1
Opcode Fuzzy Hash: 4676931fab18f8598e3254d63c2b03ecc157acb2a595ff3a2bdd00746df5edf2
Instruction Fuzzy Hash: 2B117231615665AFCB129F28DC84AAA3BA9EF47360F164724F835DB2F0D7309951CB90

Function 003A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003A56BB
_wcslen.LIBCMT ref: 003A56CD
_wcslen.LIBCMT ref: 003A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 003A5816

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0ecf3e7949ee6eead6f5f6641daaf1d92a3b49eac54e2ad110ed7b84324c9d93
Instruction ID: dbedf699028755c94d2e363153b9306536f132664ea103ffec1123b175b9afa4
Opcode Fuzzy Hash: 0ecf3e7949ee6eead6f5f6641daaf1d92a3b49eac54e2ad110ed7b84324c9d93
Instruction Fuzzy Hash: 8F11D37560461896DB22DF61CC85AEE77BCEF16760F10412AF915DA091EB70DA84CBA0

Function 00371A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00371A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00371A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00371A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00371A8A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 95e67817d1d967c756694164f7dff96358d0431106fcc99ee43ec58a62916ea5
Instruction ID: aeee874bf84c4c0f006da8aad975f4b6fdac0f43a1fa2f431b30976001b16866
Opcode Fuzzy Hash: 95e67817d1d967c756694164f7dff96358d0431106fcc99ee43ec58a62916ea5
Instruction Fuzzy Hash: 7E11393AD01219FFEB11DBA8CD85FADFB78EB08750F204091EA04B7290D671AE50DB94

Function 0037E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0037E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0037E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0037E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0037E24D

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b166a336593d97a812356fd9cc3be7d69ea906aed29c6c8fd957340f14e0c935
Instruction ID: a082fde6388a170da44a61c0ccc0fdb4c91d1fad9cbdbe92408024ec4a0b2963
Opcode Fuzzy Hash: b166a336593d97a812356fd9cc3be7d69ea906aed29c6c8fd957340f14e0c935
Instruction Fuzzy Hash: 67110876A04258BBC723ABA8DC45A9F7FACAB45310F008755F828D73D1D678C90087A0

Function 0033D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0033CFF9,00000000,00000004,00000000), ref: 0033D218
GetLastError.KERNEL32 ref: 0033D224
__dosmaperr.LIBCMT ref: 0033D22B
ResumeThread.KERNEL32(00000000), ref: 0033D249

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 65e3e3e88a1425bfc975daf6ebc557255de2756f2768158b3f071255f432d4a8
Instruction ID: 1a9c7aa7562f99ddad2b6b2269ca83a4102345b294a7a7d49831154ac38812b0
Opcode Fuzzy Hash: 65e3e3e88a1425bfc975daf6ebc557255de2756f2768158b3f071255f432d4a8
Instruction Fuzzy Hash: 7701C036815208BBCB235BA5EC89AAB7A6DDF82731F110619F925DA1D0CF718941C7A0

Function 0031600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0031604C
GetStockObject.GDI32(00000011), ref: 00316060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0031606A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d1ce2566ff8a97a85f4ef75cf9a902f0adcf2d6f456c50e2aab575316f79e2d9
Instruction ID: 0fa7d1fd37074e72e53abf128a241adc4a9c478f5d78601db0d7e951ddb01c24
Opcode Fuzzy Hash: d1ce2566ff8a97a85f4ef75cf9a902f0adcf2d6f456c50e2aab575316f79e2d9
Instruction Fuzzy Hash: 1111AD72505508BFEF1B8FA48C45EEABBADEF0D3A4F050205FA0452120C7329CA0DBA0

Function 00333B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00333B56

Part of subcall function 00333AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00333AD2
Part of subcall function 00333AA3: ___AdjustPointer.LIBCMT ref: 00333AED

_UnwindNestedFrames.LIBCMT ref: 00333B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00333B7C
CallCatchBlock.LIBVCRUNTIME ref: 00333BA4

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d0a0907cc02d0c4d25cec1de61a5fcd59a876b82f02520df630679ef24918a28
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 6F012932100148BBDF125F95CC82EEB7B69EF48754F058014FE48AA121C736E961DBA0

Function 00343073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003113C6,00000000,00000000,?,0034301A,003113C6,00000000,00000000,00000000,?,0034328B,00000006,FlsSetValue), ref: 003430A5
GetLastError.KERNEL32(?,0034301A,003113C6,00000000,00000000,00000000,?,0034328B,00000006,FlsSetValue,003B2290,FlsSetValue,00000000,00000364,?,00342E46), ref: 003430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0034301A,003113C6,00000000,00000000,00000000,?,0034328B,00000006,FlsSetValue,003B2290,FlsSetValue,00000000), ref: 003430BF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1449ca3f7aa9ffde94bb1bfecff8cc8c765ffb60d01b4f6b61247ac5e96ee055
Instruction ID: f1c68ec1c1c33af3825efebecc4a4e2938d21101462dde65e9962ed8f6d39937
Opcode Fuzzy Hash: 1449ca3f7aa9ffde94bb1bfecff8cc8c765ffb60d01b4f6b61247ac5e96ee055
Instruction Fuzzy Hash: 7001DB36712222ABCB334B799C45A677BDCAF46B61F210720F907EB180D721E901C6E0

Function 00377464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0037747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00377497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003774CA

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: dce08558de9cb37a1d6a380f460a7e1a3add72fc8cb015985d2a327c9259f862
Instruction ID: 34e12762bca4bee63b7012f6af252abbfb029cb089b13a73df19f52883d07d54
Opcode Fuzzy Hash: dce08558de9cb37a1d6a380f460a7e1a3add72fc8cb015985d2a327c9259f862
Instruction Fuzzy Hash: AD11ADB1219310ABE7328F26DC08FA27FFCEB04B00F10C569A61AD6591D7B4E904DB60

Function 0037B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0037ACD3,?,00008000), ref: 0037B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0037ACD3,?,00008000), ref: 0037B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0037ACD3,?,00008000), ref: 0037B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0037ACD3,?,00008000), ref: 0037B126

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d08aa7c7b11a1d7e391600b00cd3658163e64db307090a4d803936910d1ae5de
Instruction ID: 776528eb002fb2f94b93697b95f30c379be7c2cf804c976fcb8fcbbedb9ccbb7
Opcode Fuzzy Hash: d08aa7c7b11a1d7e391600b00cd3658163e64db307090a4d803936910d1ae5de
Instruction Fuzzy Hash: 40117930E01528E7CF22AFA4E9697EEFB78FF0A311F018086D985B2181CB3456518B51

Function 00372DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00372DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00372DD6
GetCurrentThreadId.KERNEL32 ref: 00372DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00372DE4

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 93b1a2323f0446390bb92b155b6496c5a0321cc3f055427606bef877b12955f8
Instruction ID: 5d546bb6ca63d150bff327d79181530a83cb19643ef6d6b260794ebc9869bb2c
Opcode Fuzzy Hash: 93b1a2323f0446390bb92b155b6496c5a0321cc3f055427606bef877b12955f8
Instruction Fuzzy Hash: 88E09271611224BBD7325B729C0DFEB3E6CFF43BA1F045015F109E10909AA8C840C6B0

Function 003A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00329639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00329693
Part of subcall function 00329639: SelectObject.GDI32(?,00000000), ref: 003296A2
Part of subcall function 00329639: BeginPath.GDI32(?), ref: 003296B9
Part of subcall function 00329639: SelectObject.GDI32(?,00000000), ref: 003296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 003A8887
LineTo.GDI32(?,?,?), ref: 003A8894
EndPath.GDI32(?), ref: 003A88A4
StrokePath.GDI32(?), ref: 003A88B2

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e54a07d54fae746192562800350c1ea6eb03141f12a28f29b6a561ee6f243e65
Instruction ID: 8b468b4e503fddaa528f2e405dfc64a02d2c01ba0de205e027cc42fe00cb70fe
Opcode Fuzzy Hash: e54a07d54fae746192562800350c1ea6eb03141f12a28f29b6a561ee6f243e65
Instruction Fuzzy Hash: 4CF03A36055258BADB135F94AC0DFCE3A5DAF06310F448100FA11650E2CB795511CBE9

Function 003298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003298CC
SetTextColor.GDI32(?,?), ref: 003298D6
SetBkMode.GDI32(?,00000001), ref: 003298E9
GetStockObject.GDI32(00000005), ref: 003298F1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b7ea1d7e88f22e3abf69711a9dadec8723f2cb6057f8f0906eb86c9e5551a85b
Instruction ID: c87e50e18909352fe069ca6ac1f22121ccc0c377ef18c77d6e7c3fb7ad2d12b6
Opcode Fuzzy Hash: b7ea1d7e88f22e3abf69711a9dadec8723f2cb6057f8f0906eb86c9e5551a85b
Instruction Fuzzy Hash: DCE06D31254280AADB235B75BC0DBE83F64EB13336F04C21AF6FA980E1C77246819B10

Function 0037162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00371634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003711D9), ref: 0037163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003711D9), ref: 00371648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003711D9), ref: 0037164F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 817c30930a596e14e8f866162254906faff255a66f5b4b617f114c6ef4da3913
Instruction ID: 2d185b5c4ede50781c67162caca9d59b326cb67718d64cb4e6edbde63c6982ae
Opcode Fuzzy Hash: 817c30930a596e14e8f866162254906faff255a66f5b4b617f114c6ef4da3913
Instruction Fuzzy Hash: C0E08C36612211EBDB311FA4AE0DB873BBCBF46792F158808F649C9080EA3C8540CB60

Function 0036D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0036D858
GetDC.USER32(00000000), ref: 0036D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0036D882
ReleaseDC.USER32(?), ref: 0036D8A3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 33276dd5b06eb3fbacc7d17c5d2c20090b6c6bb8debf7a4945e3d666258a0bfe
Instruction ID: eddb148787233ff3b94074f8e4db63c8b719e6b5c56fb667ed28b9c2c4440a03
Opcode Fuzzy Hash: 33276dd5b06eb3fbacc7d17c5d2c20090b6c6bb8debf7a4945e3d666258a0bfe
Instruction Fuzzy Hash: 66E09AB5910215DFCB43DFA0D90C66DBBB9FB09711F14A459E846E7360CB389941EF50

Function 0036D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0036D86C
GetDC.USER32(00000000), ref: 0036D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0036D882
ReleaseDC.USER32(?), ref: 0036D8A3

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6bcdd6bcc80b053cafe395061668b8e23d8c8b98178767d43f297a9cdd788573
Instruction ID: 396c21bc46ccff5a9d7c7220ba4bec0c02116c8712ceb19eddd7ebbbee9bcc49
Opcode Fuzzy Hash: 6bcdd6bcc80b053cafe395061668b8e23d8c8b98178767d43f297a9cdd788573
Instruction Fuzzy Hash: A1E09A75810204DFCB52DFA0D80866DBBB9BB09711F14A449E946E7360CB389941DF50

Function 00384D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00317620: _wcslen.LIBCMT ref: 00317625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00384ED4

Strings

*, xrefs: 00384E10
LPT, xrefs: 00384DFB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 9bc7498817b8e5edf531b9d3d0e6d30292367082c13ab4e58b717207fdb4b742
Instruction ID: 844e644841dad6d7de41e2ef1e11a5f48a8127e78bc44b108e8e5e284529745a
Opcode Fuzzy Hash: 9bc7498817b8e5edf531b9d3d0e6d30292367082c13ab4e58b717207fdb4b742
Instruction Fuzzy Hash: 53917F75A002059FCB16EF58C484EAABBF5AF48304F1980DDE50A9F762D735ED85CB90

Function 00397771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0036569E,00000000,?,003ACC08,?,00000000,00000000), ref: 003978DD

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

CharUpperBuffW.USER32(0036569E,00000000,?,003ACC08,00000000,?,00000000,00000000), ref: 0039783B

Strings

<s=, xrefs: 003977C8

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s=
API String ID: 3544283678-2387256258
Opcode ID: 2e447793ac288ed6a9b74e10d3012594138cb2fce393ace310522f8302bb255d
Instruction ID: 7044d8c08197d39a83243bfcd913b8eb902497b12524501d958e916c6b1b993f
Opcode Fuzzy Hash: 2e447793ac288ed6a9b74e10d3012594138cb2fce393ace310522f8302bb255d
Instruction Fuzzy Hash: CD613076924119AACF0BEBE4CC92DFDB378FF18700B544526F542AB191EF305A85DBA0

Function 0032E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0032E1B1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 77ff8aa927f4041a6190fde7d46b4c0599a7ddeefa172f9dcaf295c360633459
Instruction ID: b3d70faf8e85305eda5fb048e2ddd8504c5efba8267a44e6a1c6acdf7eb32973
Opcode Fuzzy Hash: 77ff8aa927f4041a6190fde7d46b4c0599a7ddeefa172f9dcaf295c360633459
Instruction Fuzzy Hash: 84514139500316DFDB1BEF28D082AFA7BA8EF16310F248455E8929B2C4D7349D46CBA0

Function 0032F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0032F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0032F2BB

Strings

@, xrefs: 0032F2AF

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a6bcc862bcb100fc9d4a8264d0e8311f06080f4612deba72a1e3444e33931e38
Instruction ID: 07f7a770b77fcdb16c53e67786acb2439ad3c9c58f12d5e483c3a6d244aead2b
Opcode Fuzzy Hash: a6bcc862bcb100fc9d4a8264d0e8311f06080f4612deba72a1e3444e33931e38
Instruction Fuzzy Hash: 5B5164714187449BD321AF10DC86BABBBF8FB89304F81884CF199860A5EB309569CB66

Function 00395745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003957E0
_wcslen.LIBCMT ref: 003957EC

Strings

CALLARGARRAY, xrefs: 003957E6, 003957EB

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: bd2221906e239cd3aec559ddb8fe86a5c84f01ebd9fdda4cd24a106766a82003
Instruction ID: 27337fd282d5f65fcc735b02bdb500b1ea5bb2dd96770ebf6d3a77f0520599c3
Opcode Fuzzy Hash: bd2221906e239cd3aec559ddb8fe86a5c84f01ebd9fdda4cd24a106766a82003
Instruction Fuzzy Hash: 1F41BE31A042199FCF16DFA9C8869FEBBF5FF59320F118069E505AB251E7309D81CB90

Function 0038D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0038D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0038D13A

Strings

|, xrefs: 0038D10B

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 26207da17f2e274c997069650287da0d0d932f52a974eac6388a69518d30d2a1
Instruction ID: c1d6c8a6864070db6266beeb77d334b46c8c666571d08303d0f7422b6ef18f9b
Opcode Fuzzy Hash: 26207da17f2e274c997069650287da0d0d932f52a974eac6388a69518d30d2a1
Instruction Fuzzy Hash: 71313071D00209ABCF16EFA4CD85EEE7FB9FF08310F000159F815AA166DB31AA56CB60

Function 003A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 003A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003A365C

Strings

static, xrefs: 003A35BC

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8b7753e363450f0cd0bb9106cc3922ced62720134e15f86556f1fc15848418e0
Instruction ID: e1d7c2e9c02fb9c17d72b52bad76688da8cba4cbdd7295274d6ed2b8cd238211
Opcode Fuzzy Hash: 8b7753e363450f0cd0bb9106cc3922ced62720134e15f86556f1fc15848418e0
Instruction Fuzzy Hash: 2731BE71510204AEDB16DF68DC80EFB73A9FF8A720F019619F8A597290DA35ED81C760

Function 003A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 003A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A4634

Strings

', xrefs: 003A458E

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 01a7433e7d03b52cd9f3f79e25233268c23578fb8e3052d094badb027c8fe98c
Instruction ID: 7f208503219c55e4dd94c54c49ababdeeb0d2b323be66e52f7295dcfcd708402
Opcode Fuzzy Hash: 01a7433e7d03b52cd9f3f79e25233268c23578fb8e3052d094badb027c8fe98c
Instruction Fuzzy Hash: E5311974E013099FDB15CF69C990BDABBB9FF8A300F154169E905AB391D7B0A941CF90

Function 003A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A3287

Strings

Combobox, xrefs: 003A3249

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 77c41cbfe04eb230adca74c6940566de9da4f6b3ae63316d49106baaf13e7457
Instruction ID: 951e4670d100329e1725b65f74e4d6706065387923a613a561c987b07c306800
Opcode Fuzzy Hash: 77c41cbfe04eb230adca74c6940566de9da4f6b3ae63316d49106baaf13e7457
Instruction Fuzzy Hash: 3511B2713002087FEF269F94DC81FFB7B6EEB9A3A4F114525F9189B290D6319D5187A0

Function 003A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0031600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0031604C
Part of subcall function 0031600E: GetStockObject.GDI32(00000011), ref: 00316060
Part of subcall function 0031600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031606A

GetWindowRect.USER32(00000000,?), ref: 003A377A
GetSysColor.USER32(00000012), ref: 003A3794

Strings

static, xrefs: 003A3757

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 197e174f8e7e4ce33ff6e0b0bf291653af6bb57c6a777832024f8ce88b02878a
Instruction ID: 3429a2cad4768a2b6dd4a825d93fa9cd8d4b6d2f08259cbc188e021a8e24159a
Opcode Fuzzy Hash: 197e174f8e7e4ce33ff6e0b0bf291653af6bb57c6a777832024f8ce88b02878a
Instruction Fuzzy Hash: 9E113AB2610209AFDF02DFA8CC46EFA7BF8FB0A354F015514F955E2250E735E8519B60

Function 0038CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0038CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0038CDA6

Strings

<local>, xrefs: 0038CD66

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4ab0d960563262158a80f6071461ad9098b23cc05f342850d1866abbfd848f8a
Instruction ID: 427667ba305089b4e49a94f891015f2113cf8b9bdab1d13457a9e895c07e0b09
Opcode Fuzzy Hash: 4ab0d960563262158a80f6071461ad9098b23cc05f342850d1866abbfd848f8a
Instruction Fuzzy Hash: 2B110271221731BED73A7B668C49EE7BEACEF127A4F00526AB10983080D7709849D7F0

Function 003A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003A34BA

Strings

edit, xrefs: 003A348F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c27140360aa30d0143f8100bf910fd4d004fa3b6530a32d426c16d20cc890c01
Instruction ID: edafe226dec5e061c7d310947f4c8e11431fc2790d19875c37970e5ef6db662a
Opcode Fuzzy Hash: c27140360aa30d0143f8100bf910fd4d004fa3b6530a32d426c16d20cc890c01
Instruction Fuzzy Hash: 23116A71500208ABEB238E65DC84AFB3B6EEB1A374F514324F961971E0C775DC919B60

Function 00376C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

CharUpperBuffW.USER32(?,?,?), ref: 00376CB6
_wcslen.LIBCMT ref: 00376CC2

Strings

STOP, xrefs: 00376CBC, 00376CC1

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 144f021dcbdec9a6a489ad1d811468c0352790d118d4dc615f72178f203d5db6
Instruction ID: 8b160b0f76e45f15da6b2c6460745d74b436e66a401d4ee2c4a44160924e27eb
Opcode Fuzzy Hash: 144f021dcbdec9a6a489ad1d811468c0352790d118d4dc615f72178f203d5db6
Instruction Fuzzy Hash: 86010432610D2B8ACB339FBDDCA29BF33A8EA65710B124535E85696194EB39D940C650

Function 00371CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 00373CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00373CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00371D4C

Strings

ComboBox, xrefs: 00371CEB
ListBox, xrefs: 00371D16

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 467da4119d59bbf2f26c8318f567bb05e8b1dc577adfd1ba8605a8558980dc8c
Instruction ID: 4234606ced299d4de7863691f70df2a4b822610225963a90a59204a3204872cf
Opcode Fuzzy Hash: 467da4119d59bbf2f26c8318f567bb05e8b1dc577adfd1ba8605a8558980dc8c
Instruction Fuzzy Hash: 7401DD726511146BCB2BFBA4CC51EFE7368EB46390B04451BF8665B3D1EA3459089A60

Function 00371BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 00373CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00373CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00371C46

Strings

ComboBox, xrefs: 00371BE5
ListBox, xrefs: 00371C10

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ffc1463fe1183307dbb4e12efe4a97eb9a9235d9ef31a3c622b65b77d17aff65
Instruction ID: fb476c8103eab73dbcc1cbda4aa25f8e9b6c58552037ad4e0a69a83121a3903b
Opcode Fuzzy Hash: ffc1463fe1183307dbb4e12efe4a97eb9a9235d9ef31a3c622b65b77d17aff65
Instruction Fuzzy Hash: 4A01AC7668110566CB1BE7D4C952AFF77AC9B15340F244016E94A6B2C1EA249F0896B1

Function 00371C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 00373CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00373CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00371CC8

Strings

ComboBox, xrefs: 00371C69
ListBox, xrefs: 00371C94

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b9485d8c98137ea026fdc41b1321cd90622afce7cf7060c7206c428d6c1b698b
Instruction ID: 1722808a0baa0952adb41e35e87482a299aa82ca3e11e0caecadebd26f3bfb7e
Opcode Fuzzy Hash: b9485d8c98137ea026fdc41b1321cd90622afce7cf7060c7206c428d6c1b698b
Instruction Fuzzy Hash: 2501DB7268011567CB27EBD4CA52BFE73AC9B15340F144016B84677281EA249F08D6B1

Function 0032A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0032A529

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Strings

3y6, xrefs: 0032A545, 0032A54D, 0032A552
,%>, xrefs: 0032A509

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%>$3y6
API String ID: 2551934079-3829082738
Opcode ID: 4dd4934e72537a8d876f2571a0be4c3c1132b3b7b2c62a7971c636555ebe44ee
Instruction ID: 2ba7b675abb9cdc3a8e984e11dfe919c7d251e5d8bf159f3237013d1aecf293b
Opcode Fuzzy Hash: 4dd4934e72537a8d876f2571a0be4c3c1132b3b7b2c62a7971c636555ebe44ee
Instruction Fuzzy Hash: 36012B32700A7087C51BF769E867BAFB368DB0B710F500555F9425F2C2DE509D418AD7

Function 003A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003E3018,003E305C), ref: 003A81BF
CloseHandle.KERNEL32 ref: 003A81D1

Strings

\0>, xrefs: 003A818A

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0>
API String ID: 3712363035-2227185054
Opcode ID: e6c1b246d085cd1d23925d2bb624d14dd4b4d2f383425b455794cad5c7d29460
Instruction ID: 2965a95ed818c26f8ba9616ed938e7ac7113d91c972cbdb21ca6e1a7145b4ea5
Opcode Fuzzy Hash: e6c1b246d085cd1d23925d2bb624d14dd4b4d2f383425b455794cad5c7d29460
Instruction Fuzzy Hash: B0F082F5640350BEE732A761AC89FB73A9CDB05760F000560BB09DB1E2D6798E4083F8

Function 0039747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00397493
_wcslen.LIBCMT ref: 003974B9

Strings

3, 3, 16, 1, xrefs: 00397483

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a5adc0f1ef93c08817e3edcc807b77aa19f13f3737761e207c577886bc9f7cce
Instruction ID: 9da83bd0f056979c3418e878b09677e3d5ee2a19ae3be2540093711835239315
Opcode Fuzzy Hash: a5adc0f1ef93c08817e3edcc807b77aa19f13f3737761e207c577886bc9f7cce
Instruction Fuzzy Hash: D2E02B06224220109733137BACC5BBF5789CFC9760B14182BF985C62A7EB949D9193A0

Function 00370B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00370B23

Strings

Error allocating memory., xrefs: 00370B1C
AutoIt, xrefs: 00370B17

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0bee37f4e7de9da3679e0e5cc5e296fb7cc6ed6bc69d17ed16477c81a3fc76de
Instruction ID: b16d4f131ce59360347b83e655da9cc3e8bfc27fd6daf2888ad16602beea3469
Opcode Fuzzy Hash: 0bee37f4e7de9da3679e0e5cc5e296fb7cc6ed6bc69d17ed16477c81a3fc76de
Instruction Fuzzy Hash: C8E048322543186AD21737947C43FC97A94CF06F61F10446BF758595C38FE2659046A9

Function 00330D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0032F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00330D71,?,?,?,0031100A), ref: 0032F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0031100A), ref: 00330D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0031100A), ref: 00330D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00330D7F

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: d4b767019a4e42309bc62c63a120b32c2ec1342a4978a7cdadb5db27b08fe7b8
Instruction ID: 6253dba442f01b44780c261a7375a589f6d4ddb0c3eff29f22b8fe2f0519022a
Opcode Fuzzy Hash: d4b767019a4e42309bc62c63a120b32c2ec1342a4978a7cdadb5db27b08fe7b8
Instruction Fuzzy Hash: 33E06D742003518FD7369FBCE5947867BE4AB05740F004A2DE482CA651DBB0E4848B91

Function 0032E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0032E3D5

Strings

0%>, xrefs: 0032E3B5
8%>, xrefs: 0032E3CA

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%>$8%>
API String ID: 1385522511-1355131203
Opcode ID: 29c2c72bddf6232b36f452e501d6f6abc273d356e7bc3ae61eb6f7fb8d11a490
Instruction ID: ecfcc0265fb13a1e7d7d8bd42b043ee5daa73f4e0057216649f98e046f181adf
Opcode Fuzzy Hash: 29c2c72bddf6232b36f452e501d6f6abc273d356e7bc3ae61eb6f7fb8d11a490
Instruction Fuzzy Hash: 67E08639414AB4CBC61BD718BAE6E8EB35DAB07321F5113A9E2128F1D5DBB038418655

Function 00383017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0038302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00383044

Strings

aut, xrefs: 00383038

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0e1dab51d63925e6c53ee5b032d1ccb50fe973f72e1e4b20491ff91e9b4ba5c5
Instruction ID: d74eb22864600d219924ffbc1ec18155b3bcf02c1f9ddbcd09cb7356496c6b2f
Opcode Fuzzy Hash: 0e1dab51d63925e6c53ee5b032d1ccb50fe973f72e1e4b20491ff91e9b4ba5c5
Instruction Fuzzy Hash: 3CD05EB250032867DE20A7A4AD0EFCB3B6CDB05750F0006A2B6A6E2091DBB09984CAD0

Function 003A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003A233F

Part of subcall function 0037E97B: Sleep.KERNEL32 ref: 0037E9F3

Strings

Shell_TrayWnd, xrefs: 003A2325

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 09c4644831086299ad033ba7dcc836fea6cbcc0b9b6f21265e904785777b9073
Instruction ID: 53b95ea4c7b3c3a481b4db9aea1863cf14f17c749c07b5261f6cab41464a2cab
Opcode Fuzzy Hash: 09c4644831086299ad033ba7dcc836fea6cbcc0b9b6f21265e904785777b9073
Instruction Fuzzy Hash: D4D012377A4310B7E675B771EC0FFC6BA189B56B10F005916B759AA1E0C9F4A801CA54

Function 003A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A236C
PostMessageW.USER32(00000000), ref: 003A2373

Part of subcall function 0037E97B: Sleep.KERNEL32 ref: 0037E9F3

Strings

Shell_TrayWnd, xrefs: 003A2365

Memory Dump Source

Source File: 00000002.00000002.2266131597.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000002.00000002.2265942516.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2267993125.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270582297.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2270621455.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_310000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 64c067322c10c5f02a13a749d838f391c0c1d9dfc9e743ee8fee3eafdb2ec0c0
Instruction ID: bf6e5d7b9a2dd4ae0aa679c09bb9c0e6ce16832336e4547e1d3cd3881ed64526
Opcode Fuzzy Hash: 64c067322c10c5f02a13a749d838f391c0c1d9dfc9e743ee8fee3eafdb2ec0c0
Instruction Fuzzy Hash: 32D0C9327913107AE666A771AC0FFC6A6189B56B10F005916B755AA1E0C9A4A8018A58

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000012.00000003.2330541464.000001EBA7BA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2329602181.000001EBA7BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.2285140231.000001EBAB2D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.2285140231.000001EBAB2D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.2420270445.000001EBA90E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2449909141.000001EBA90E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.2412684711.000001EBB329D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2390780957.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2384509131.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.2422055595.000001EBAAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2408284003.000001EBAAFA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.2280451010.000001EBA7C67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2285140231.000001EBAB2D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.2285140231.000001EBAB2D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.2401285533.000001EBAAA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2417801209.000001EBAAA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3414249249.0000025D58F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.2401285533.000001EBAAA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2417801209.000001EBAAA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3414249249.0000025D58F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000003.2401285533.000001EBAAA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2417801209.000001EBAAA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3414249249.0000025D58F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.2390780957.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2384509131.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.2390780957.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2384509131.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2507831138.000001EBA8B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.2412684711.000001EBB329D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2390780957.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2384509131.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.2390780957.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2384509131.000001EBB3292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.2412591982.000001EBB32EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49929 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49940 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1de93b63-cfec-4b4e-8b83-37d15a7b833b.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1de93b63-cfec-4b4e-8b83-37d15a7b833b.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre