Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574545
MD5:	5860a1bb4e76af912ba6a63ac572f7f7
SHA1:	1f61042d2c0c6b3756ea0937c419608c8396096a
SHA256:	e1ce7d30cae8f70b196509496438bddb9410ffc4c29c9329e8b78e50e773d745
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4232 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5860A1BB4E76AF912BA6A63AC572F7F7)

taskkill.exe (PID: 3796 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 432 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4816 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5544 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3064 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5900 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6516 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4780 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3420 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2272 -parentBuildID 20230927232528 -prefsHandle 2220 -prefMapHandle 2216 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dede55c8-f234-419f-b22f-20f7e764d696} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2585d16d910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7408 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3812 -parentBuildID 20230927232528 -prefsHandle 3828 -prefMapHandle 3840 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ee878f-6b8a-45b2-b47a-e105cf893977} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2585d188210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8180 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4864 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da3b7b02-decf-4612-aa2a-065d83482b73} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 25875768b10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 4232	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0048EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0048EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0048ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0048EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0047AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2113138709.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a923214a-4
Source: file.exe, 00000000.00000000.2113138709.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_074b89f9-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c32422b1-1
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_67c59385-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000207FABD8A77 NtQuerySystemInformation,		18_2_00000207FABD8A77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000207FAD04332 NtQuerySystemInformation,		18_2_00000207FAD04332

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0047D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00471201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00471201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0047E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BF40	0_2_0041BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00482046	0_2_00482046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418060	0_2_00418060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00478298	0_2_00478298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044E4FF	0_2_0044E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044676B	0_2_0044676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A4873	0_2_004A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CAF0	0_2_0041CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043CAA0	0_2_0043CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CC39	0_2_0042CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00446DD9	0_2_00446DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B119	0_2_0042B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004191C0	0_2_004191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431394	0_2_00431394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043781B	0_2_0043781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042997D	0_2_0042997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417920	0_2_00417920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437A4A	0_2_00437A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437CA7	0_2_00437CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049BE44	0_2_0049BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00449EEE	0_2_00449EEE
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000207FABD8A77	18_2_00000207FABD8A77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000207FAD04332	18_2_00000207FAD04332
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000207FAD04A5C	18_2_00000207FAD04A5C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000207FAD04372	18_2_00000207FAD04372

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0042F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00430A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00419CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/38@74/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004837B5 GetLastError,FormatMessageW,

0_2_004837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004710BF AdjustTokenPrivileges,CloseHandle,		0_2_004710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0048648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2260177451.00000258793F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2272 -parentBuildID 20230927232528 -prefsHandle 2220 -prefMapHandle 2216 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dede55c8-f234-419f-b22f-20f7e764d696} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2585d16d910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3812 -parentBuildID 20230927232528 -prefsHandle 3828 -prefMapHandle 3840 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ee878f-6b8a-45b2-b47a-e105cf893977} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2585d188210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4864 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da3b7b02-decf-4612-aa2a-065d83482b73} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 25875768b10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2272 -parentBuildID 20230927232528 -prefsHandle 2220 -prefMapHandle 2216 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dede55c8-f234-419f-b22f-20f7e764d696} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2585d16d910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3812 -parentBuildID 20230927232528 -prefsHandle 3828 -prefMapHandle 3840 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ee878f-6b8a-45b2-b47a-e105cf893977} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2585d188210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4864 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da3b7b02-decf-4612-aa2a-065d83482b73} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 25875768b10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2326968034.0000025871501000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: v.pDb source: file.exe, 00000000.00000003.2152782717.0000000001B67000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2152893804.0000000001B70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2335784428.000002586D2B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2328947447.000002586D2B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2333631305.000002586D2B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2335784428.000002586D2B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2328947447.000002586D2B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2326968034.0000025871501000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2333631305.000002586D2B4000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00430A76 push ecx; ret

0_2_00430A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0042F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94839

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_00000207FABD8A77 rdtsc

18_2_00000207FABD8A77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0047DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044C2A2 FindFirstFileExW,	0_2_0044C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004868EE FindFirstFileW,FindClose,	0_2_004868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0048698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00489642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00489642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0048979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00489B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00489B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00485C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00485C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: firefox.exe, 00000012.00000002.3983318334.00000207FA4EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpJ
Source: file.exe, 00000000.00000003.2199634091.0000000001903000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199241216.00000000018FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199702907.0000000001923000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199133758.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3987489579.000001366C500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3986559912.00000207FABF0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3986522539.000001F9E93D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3982890341.000001F9E8FFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2193656740.0000000001939000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200447914.0000000001939000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120317784.0000000001939000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW!R
Source: firefox.exe, 00000010.00000002.3986871392.000001366C412000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3987489579.000001366C500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.3982802094.000001366BEDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 00000010.00000002.3987489579.000001366C500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3986559912.00000207FABF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_00000207FABD8A77 rdtsc

18_2_00000207FABD8A77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048EAA2 BlockInput,

0_2_0048EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00442622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00442622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00434CE8 mov eax, dword ptr fs:[00000030h]

0_2_00434CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00470B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00470B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00442622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00442622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004309D5 SetUnhandledExceptionFilter,	0_2_004309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00430C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430C21

Source: C:\Users\user\Desktop\file.exe

0_2_00471201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00452BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00452BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047B226 SendInput,keybd_event,

0_2_0047B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00470B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00471663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00471663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2316858604.0000025871501000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00430698 cpuid

0_2_00430698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046D21C GetLocalTime,

0_2_0046D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046D27A GetUserNameW,

0_2_0046D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0044B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0044B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4232, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4232, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00491204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00491806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	29%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	216.58.208.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://youtube.comZ	firefox.exe, 0000000E.00000003.2333131910.000021EA7C804000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2344733362.0000025877197000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369727589.0000025877197000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379582225.0000025877197000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194256575.0000025877197000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261593010.0000025877197000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3983885301.00000207FA7C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3983982928.000001F9E92BA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2232203468.000002586E27B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3984518063.000001366C272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3983885301.00000207FA781000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3983982928.000001F9E9286000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2384204845.000002586E684000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2364523609.000002586FA8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2375608817.000002586EEAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2171495993.000002586D400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172400185.000002586AA45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171963247.000002586AA23000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2355307920.000002586FAE4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2369091848.00000258792A4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2194256575.00000258771E2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2171495993.000002586D400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376763200.000002586ECA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172400185.000002586AA45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2384757241.000002586E634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326421826.000002586EDBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297112191.000002586EDBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171963247.000002586AA23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321899263.000002586EDB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2267846382.0000025870860000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2348850642.0000025870860000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379816142.0000025870860000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/0	firefox.exe, 0000000E.00000003.2333131910.000021EA7C804000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332726742.00001365E9603000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2171495993.000002586D400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172400185.000002586AA45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171963247.000002586AA23000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.2202825923.000002586E912000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2360941905.0000025875891000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2359617014.000002587748C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347630386.0000025875842000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373859501.000002586F6BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356939893.0000025875842000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2373859501.000002586F6BC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2384204845.000002586E684000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://ac	firefox.exe, 00000012.00000002.3982890881.00000207FA4A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2344272330.00000258785B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2224165614.000002586FB6F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2352156535.000002586FD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363262389.000002586FD82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372560968.000002586FD86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2260177451.000002587936C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369727589.0000025877189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194256575.0000025877165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344733362.0000025877165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261593010.0000025877165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3983885301.00000207FA703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3983982928.000001F9E920C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2233678560.000002586E2B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2384291686.000002586E673000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2379138211.00000258785A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344272330.0000025878541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355791807.0000025878541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369563919.0000025878544000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2356939893.0000025875842000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3983885301.00000207FA7C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3983982928.000001F9E92BA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2233460527.00000258764DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233313158.00000258764F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231065262.00000258764F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2297112191.000002586EDA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2207324635.000002586EDA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326535734.000002586EDAB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2344272330.00000258785B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2354204091.000002586FC73000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2376763200.000002586ECA3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000013.00000002.3983982928.000001F9E9213000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2202079018.0000025870E69000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.comp	firefox.exe, 0000000E.00000003.2368302622.000002586F7EB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2194256575.00000258771E2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2383244688.000002586EA1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2233313158.00000258764F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2202079018.0000025870ED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285607624.000002586E4CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285607624.000002586E4C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285088216.000002586E4F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197999037.0000025870EF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194256575.000002587718F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279299967.0000025875967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220620397.000002586FBAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219556311.000002586FB83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297112191.000002586EDA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280635043.0000025875992000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373859501.000002586F693000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353065390.000002586FCFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196620831.0000025870EEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2391065429.000002586E4D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2207324635.000002586EDA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177161421.000002586D0DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220400933.0000025875967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227313833.000002586E4CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2384757241.000002586E640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2224165614.000002586FB68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2267846382.000002587084A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2348850642.000002587084A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2348850642.0000025870858000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379816142.0000025870858000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000E.00000003.2202825923.000002586E912000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2383244688.000002586EA1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2201403717.000002586DC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2384757241.000002586E614000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://acu	firefox.exe, 00000013.00000002.3986214252.000001F9E93C0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2233632957.00000258764C0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2267846382.0000025870860000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363113255.0000025870877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2348850642.0000025870860000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2234085269.000002586F11E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233313158.00000258764F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233678560.000002586E2B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2379138211.00000258785A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344272330.0000025878541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355791807.0000025878541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369563919.0000025878544000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2361014974.000002587588A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2202079018.0000025870E69000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2369226865.0000025879230000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369226865.0000025879258000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2171963247.000002586AA23000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2171495993.000002586D400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172400185.000002586AA45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2201403717.000002586DC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2384757241.000002586E60F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326421826.000002586EDBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297112191.000002586EDBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171963247.000002586AA23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321899263.000002586EDB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2194256575.00000258771E2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2384204845.000002586E684000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3986649532.000001366C300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3986055260.00000207FAB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3983621131.000001F9E9070000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.wykop.pl/	firefox.exe, 0000000E.00000003.2352156535.000002586FD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363262389.000002586FD82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372560968.000002586FD86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/userf	firefox.exe, 00000013.00000002.3983982928.000001F9E92F6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 0000000E.00000003.2352156535.000002586FD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363262389.000002586FD82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372560968.000002586FD86000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574545
Start date and time:	2024-12-13 12:15:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/38@74/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 96% Number of executed functions: 50 Number of non-executed functions: 290
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.213.181.160, 35.85.93.176, 44.228.225.150, 172.217.17.46, 88.221.134.155, 88.221.134.209, 142.250.181.138, 142.250.181.106, 13.107.246.63, 23.218.208.109, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 4780 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	https://idw.soundestlink.com/ce/c/675b7a96903a5335b119c33f/675b7ae33d33226215120f66/675b7afd057112d43b49094d?signature=7e9e7eead1b3f32bbe3709a667795cd47f753f0f46ed5e056831680ea81aa102	Get hash	malicious	Unknown	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.com	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	loader.exe	Get hash	malicious	Unknown	Browse	151.101.0.223
	loader.exe	Get hash	malicious	Unknown	Browse	151.101.0.223
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	151.101.194.137
	https://idw.soundestlink.com/ce/c/675b7a96903a5335b119c33f/675b7ae33d33226215120f66/675b7afd057112d43b49094d?signature=7e9e7eead1b3f32bbe3709a667795cd47f753f0f46ed5e056831680ea81aa102	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://opof.utackhepr.com/WE76L1u/	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://e.trustifi.com/#/fff2a6/34074b/38c75f/bf3fbd/0d1c47/12c665/f3cdcd/c1be48/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d08b7b/9066d9/86c9f0/b1ff53/224fc1/c5dff5/a64e02/f00a15/3cdbea/a78615/4ddb76/30d9f7/98e1a2/9412cb/8e2651/8d4e63/9d313b/2f0213/ae3252/642e4a/6f0b2e/306b49/fd8e03/84bfef/0da4e6/6224c1/902b5e/e0d84c/badeba/3e52c1/94282a/975221/7a2e92/514659/ae5bab/957b7b/eb9e61/6942c6/d917d9/44a5ae/e58297/02048a/55f177/dca75c/c46e68/ac781c/5b787b/abcd53/568132/1d514a/5290de/d0b524/7d0cb6/e4e8bf/2ff215/1ddb69/add914/7674bb/dc5d9b/8fc829/561052/f5a816/40ee64/a0bcf5/b0cc13/8e70a5/255ef2/b24b8d/81e09f/4c70dd/5bbaa4/7ff26c/f1999b/4a2515/4a3a04/0a188e	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	j87MOFviv4.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_7f9825c2-d9a3-4c0f-8ea0-bbd91a8fc7ae.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.17190357227988
Encrypted:	false
SSDEEP:	192:FMBMXXjUcbhbVbTbfbRbObtbyEl7nwrhJA6unSrDtTkdxSofh:+iQcNhnzFSJQrc1nSrDhkdx1
MD5:	243FE5774A48860A499B3147FAB0C897
SHA1:	89777AABCC17DB3B4E3EEFC1ABE84AAE0E3CCA69
SHA-256:	716A73A76F64B123C3FA173FE3E9D7D828DAD77AD2E49E2A50EDEDEB2BFCE5B7
SHA-512:	D731CCA143430319432D07004A0B008D18232DF7B08ABF0786DFFE8CCA7E2B9A586083DF04FBF7CC1579356C7E049AFA359A6840C6012E15EA39ED16E5195119
Malicious:	false
Preview:	{"type":"uninstall","id":"7f9825c2-d9a3-4c0f-8ea0-bbd91a8fc7ae","creationDate":"2024-12-13T12:37:14.179Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_7f9825c2-d9a3-4c0f-8ea0-bbd91a8fc7ae.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.17190357227988
Encrypted:	false
SSDEEP:	192:FMBMXXjUcbhbVbTbfbRbObtbyEl7nwrhJA6unSrDtTkdxSofh:+iQcNhnzFSJQrc1nSrDhkdx1
MD5:	243FE5774A48860A499B3147FAB0C897
SHA1:	89777AABCC17DB3B4E3EEFC1ABE84AAE0E3CCA69
SHA-256:	716A73A76F64B123C3FA173FE3E9D7D828DAD77AD2E49E2A50EDEDEB2BFCE5B7
SHA-512:	D731CCA143430319432D07004A0B008D18232DF7B08ABF0786DFFE8CCA7E2B9A586083DF04FBF7CC1579356C7E049AFA359A6840C6012E15EA39ED16E5195119
Malicious:	false
Preview:	{"type":"uninstall","id":"7f9825c2-d9a3-4c0f-8ea0-bbd91a8fc7ae","creationDate":"2024-12-13T12:37:14.179Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3081431503395793
Encrypted:	false
SSDEEP:	48:UcdupUgdw8FzbXduP6Bdw8jb9duvadw8R1:UjJskXWUn
MD5:	DEDB95D3E6EA105442E0FF9D90BD5BA2
SHA1:	295EA31B3B3B14BC503E6013A724D354C5895717
SHA-256:	1B1001346513775EC99A41A79C3E3F07BB163CD99216D2D8683F5F57310C6FCA
SHA-512:	26AF3881A9A456CC06DF722082386BCBA11194AC41F6210188003DF2394B6CFF8A9579853FDF6A5583AC0D22696AA9A8D844E66BB8E81F87514B5BE54E4BAA3A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......`.9}PM..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.I.Y.Z....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.Z............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.Z..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........,..r.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3081431503395793
Encrypted:	false
SSDEEP:	48:UcdupUgdw8FzbXduP6Bdw8jb9duvadw8R1:UjJskXWUn
MD5:	DEDB95D3E6EA105442E0FF9D90BD5BA2
SHA1:	295EA31B3B3B14BC503E6013A724D354C5895717
SHA-256:	1B1001346513775EC99A41A79C3E3F07BB163CD99216D2D8683F5F57310C6FCA
SHA-512:	26AF3881A9A456CC06DF722082386BCBA11194AC41F6210188003DF2394B6CFF8A9579853FDF6A5583AC0D22696AA9A8D844E66BB8E81F87514B5BE54E4BAA3A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......`.9}PM..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.I.Y.Z....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.Z............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.Z..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........,..r.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITG2ZDK1OCCC9T9TMPV7.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3081431503395793
Encrypted:	false
SSDEEP:	48:UcdupUgdw8FzbXduP6Bdw8jb9duvadw8R1:UjJskXWUn
MD5:	DEDB95D3E6EA105442E0FF9D90BD5BA2
SHA1:	295EA31B3B3B14BC503E6013A724D354C5895717
SHA-256:	1B1001346513775EC99A41A79C3E3F07BB163CD99216D2D8683F5F57310C6FCA
SHA-512:	26AF3881A9A456CC06DF722082386BCBA11194AC41F6210188003DF2394B6CFF8A9579853FDF6A5583AC0D22696AA9A8D844E66BB8E81F87514B5BE54E4BAA3A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......`.9}PM..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.I.Y.Z....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.Z............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.Z..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........,..r.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YM2Y26S743S9A1YHJM0O.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	modified
Size (bytes):	5488
Entropy (8bit):	3.3081431503395793
Encrypted:	false
SSDEEP:	48:UcdupUgdw8FzbXduP6Bdw8jb9duvadw8R1:UjJskXWUn
MD5:	DEDB95D3E6EA105442E0FF9D90BD5BA2
SHA1:	295EA31B3B3B14BC503E6013A724D354C5895717
SHA-256:	1B1001346513775EC99A41A79C3E3F07BB163CD99216D2D8683F5F57310C6FCA
SHA-512:	26AF3881A9A456CC06DF722082386BCBA11194AC41F6210188003DF2394B6CFF8A9579853FDF6A5583AC0D22696AA9A8D844E66BB8E81F87514B5BE54E4BAA3A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......`.9}PM..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.I.Y.Z....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.Z............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.Z..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........,..r.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.931234428577217
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLmhkcV8P:gXiNFS+OcUGOdwiOdwBjkYLBo8P
MD5:	E1071E2444ECFA962BDC13C24883EE92
SHA1:	11EA7893F9CBA3C198DEF1A38A83A7D782FB7B42
SHA-256:	98801E2A9008D01EA33C0E43C16D795E0DFC5C3F1A0F51917DD1C58DE3B1F145
SHA-512:	26BF06605517D3B95CB42CB0F436145604D2D93D74A15AEB5125EB515565519D6F6254DCD7019F938C31F6B5B1F6A2B6823BBD98363FD8758F4BEF817FA231F0
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.931234428577217
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLmhkcV8P:gXiNFS+OcUGOdwiOdwBjkYLBo8P
MD5:	E1071E2444ECFA962BDC13C24883EE92
SHA1:	11EA7893F9CBA3C198DEF1A38A83A7D782FB7B42
SHA-256:	98801E2A9008D01EA33C0E43C16D795E0DFC5C3F1A0F51917DD1C58DE3B1F145
SHA-512:	26BF06605517D3B95CB42CB0F436145604D2D93D74A15AEB5125EB515565519D6F6254DCD7019F938C31F6B5B1F6A2B6823BBD98363FD8758F4BEF817FA231F0
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07313231714035051
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiqSh:DLhesh7Owd4+jiqS
MD5:	C47297DDF58DE1B5574E981D3D90BBCE
SHA1:	A44D1100967E6CD7B90042010308D7B09F371F3B
SHA-256:	5B8CC29965D72087473C540E62EAAE0CBB34815F846C880045D439A80CFDF991
SHA-512:	71E08581372A72EE4C6773D87658AFD2742385E2F8A2B09BBF628A5A70136F2A76D91A1669295BBCB960C44ADC42893CF0DAF80CD4803E42B5299C1893219EC4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039789379076853294
Encrypted:	false
SSDEEP:	3:GHlhV3EbrnYldlhV3EbrN4l8a9//Ylll4llqlyllel4lt:G7VU/eVU/+L9XIwlio
MD5:	A8A679B8EDFAC819C550D4E4799803D0
SHA1:	96CC736F1A0A7727069BB79AD0227732168A3244
SHA-256:	A655B81DD8C08CCCC53060A7EAC6DB1B177EAEDF88FEDE57666003667D91134B
SHA-512:	DD486AE9B6738CF1E1EE3664F9790EA6A348541875DFD14B1A1782390202041CB73E080574042A98234375F675C54E6569D2E4CEF9DD4DC6DD607D08BD437A7B
Malicious:	false
Preview:	..-......................6..!M2..a.......%..g.....-......................6..!M2..a.......%..g...........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.0954903504035034
Encrypted:	false
SSDEEP:	24:Kd73xLxs9YC/5xsMldCCQE/TSKCrsCs81xsayt+4gmwl02iEg:a/s3zJKDC8XVyM4UG
MD5:	2B223E32EFCB174A8FB590AC8ACD4D13
SHA1:	32B3E187EA7A875F61E954226EBFC68A0E78B67F
SHA-256:	3B782F721AC37E62830DB2B07CA85C77482118E957CBF64ECAAF9D4C935B3760
SHA-512:	D1B3E9A1033916702E4AD042E78ED3ABD4DB64D9D3195C9A301FDBB5485C98CA2F423FB308626FE329335F46A7C5A50420394A86365FFC8682782888F1A1E1DC
Malicious:	false
Preview:	7....-...........a........e.M'.h.........a......7.....CM................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.465884470953239
Encrypted:	false
SSDEEP:	192:bnTFTRRUYbBp6dLZNMGaXi6qU4Mbzy+/3/7hL5RYiNBw8dMSl:nKe8FNM1nnyCldwb0
MD5:	FB68C958451AFCE8F44C57E9F6DEED62
SHA1:	700E1D338D9622F0793C069BA56EA1CC951F445D
SHA-256:	3CC040D83E0808EABC143FF8045DB2FCFAB5A93DDD014E35A3771AC32A055CD2
SHA-512:	8F61900C9E7A486A60175A56810696289C157C6258B960551B77D49D39A3D34FF6A788D32E3F4DA7B4570ACBDD451E124BF758798CCCEF4FDA545B2B50FB8FD5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734093404);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734093404);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734093404);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173409

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.465884470953239
Encrypted:	false
SSDEEP:	192:bnTFTRRUYbBp6dLZNMGaXi6qU4Mbzy+/3/7hL5RYiNBw8dMSl:nKe8FNM1nnyCldwb0
MD5:	FB68C958451AFCE8F44C57E9F6DEED62
SHA1:	700E1D338D9622F0793C069BA56EA1CC951F445D
SHA-256:	3CC040D83E0808EABC143FF8045DB2FCFAB5A93DDD014E35A3771AC32A055CD2
SHA-512:	8F61900C9E7A486A60175A56810696289C157C6258B960551B77D49D39A3D34FF6A788D32E3F4DA7B4570ACBDD451E124BF758798CCCEF4FDA545B2B50FB8FD5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734093404);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734093404);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734093404);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173409

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.333329837176229
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSfl09LXnIgG/pnxQwRlszT5sKL0v3eHVvwKXTvamhujJmyOOxmOmaR:GUpOx0l09WnR6i3eNwCTv4JNKRh4
MD5:	3A1B5B29BD6FAD42E6E9A872859BEA25
SHA1:	E9A35C0FAAF527754E793D5514747B455DDF4BD8
SHA-256:	B7E572752AA4B81D926AE8B9C98DDE52CDC3329F1713ED305F2564F2D929A1B7
SHA-512:	5984022130533547632D86F4E5D3845BBEDD2A34540039FF19E313C8B9DEC4D90C4EF7F4B917E9787C8570C13E752639DAA1AA135A8F102DBC510FDA12A6C500
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c40b0092-61e8-4c7f-80b8-c1af9cff9080}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734093408615,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`373668...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....377753,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.333329837176229
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSfl09LXnIgG/pnxQwRlszT5sKL0v3eHVvwKXTvamhujJmyOOxmOmaR:GUpOx0l09WnR6i3eNwCTv4JNKRh4
MD5:	3A1B5B29BD6FAD42E6E9A872859BEA25
SHA1:	E9A35C0FAAF527754E793D5514747B455DDF4BD8
SHA-256:	B7E572752AA4B81D926AE8B9C98DDE52CDC3329F1713ED305F2564F2D929A1B7
SHA-512:	5984022130533547632D86F4E5D3845BBEDD2A34540039FF19E313C8B9DEC4D90C4EF7F4B917E9787C8570C13E752639DAA1AA135A8F102DBC510FDA12A6C500
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c40b0092-61e8-4c7f-80b8-c1af9cff9080}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734093408615,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`373668...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....377753,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.333329837176229
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSfl09LXnIgG/pnxQwRlszT5sKL0v3eHVvwKXTvamhujJmyOOxmOmaR:GUpOx0l09WnR6i3eNwCTv4JNKRh4
MD5:	3A1B5B29BD6FAD42E6E9A872859BEA25
SHA1:	E9A35C0FAAF527754E793D5514747B455DDF4BD8
SHA-256:	B7E572752AA4B81D926AE8B9C98DDE52CDC3329F1713ED305F2564F2D929A1B7
SHA-512:	5984022130533547632D86F4E5D3845BBEDD2A34540039FF19E313C8B9DEC4D90C4EF7F4B917E9787C8570C13E752639DAA1AA135A8F102DBC510FDA12A6C500
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c40b0092-61e8-4c7f-80b8-c1af9cff9080}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734093408615,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`373668...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....377753,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.008887040213118
Encrypted:	false
SSDEEP:	48:YrSAYvfHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycvfCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	62EA5BD6A1D5D5D2CC170F11F465962F
SHA1:	CC39E693DB034CC4EE5208D1F10D3830A4579688
SHA-256:	56B87C03DDA85D3FA706BEF6F67B5BE2A9FDB667A8D7872774829CE619DE3514
SHA-512:	E72769C2D8CA88BF6F04C77412680A811F408E5B782188D1D4BCB2C1348590CAF1D99E4734CDCDCDE3FAD85EEE2CA0C64E70ADD29E905615D0BF8ED9397CB3CD
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T12:36:30.712Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.008887040213118
Encrypted:	false
SSDEEP:	48:YrSAYvfHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycvfCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	62EA5BD6A1D5D5D2CC170F11F465962F
SHA1:	CC39E693DB034CC4EE5208D1F10D3830A4579688
SHA-256:	56B87C03DDA85D3FA706BEF6F67B5BE2A9FDB667A8D7872774829CE619DE3514
SHA-512:	E72769C2D8CA88BF6F04C77412680A811F408E5B782188D1D4BCB2C1348590CAF1D99E4734CDCDCDE3FAD85EEE2CA0C64E70ADD29E905615D0BF8ED9397CB3CD
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T12:36:30.712Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.707547100826651
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	972'288 bytes
MD5:	5860a1bb4e76af912ba6a63ac572f7f7
SHA1:	1f61042d2c0c6b3756ea0937c419608c8396096a
SHA256:	e1ce7d30cae8f70b196509496438bddb9410ffc4c29c9329e8b78e50e773d745
SHA512:	4963342cc0a3c491d0db3d6c241160377004c3bf37b12c50b9fc5624a8683f27e3f71b3517e7f163321d4c88ee108499756b37bd34308cbf3e2ae11676f5876f
SSDEEP:	24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aZ+Fh:2TvC/MTQYxsWR7aZ+F
TLSH:	6E259E0273D1C062FF9B92334F5AF6515BBC69260123A61F13A81D7ABD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675C0DCD [Fri Dec 13 10:34:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F01C0E13643h
jmp 00007F01C0E12F4Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F01C0E1312Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F01C0E130FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F01C0E15CEDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F01C0E15D38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F01C0E15D21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x16a90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x16a90	0x16c00	fde8d90d02f94e274fd5151df70112e9	False	0.7071278331043956	data	7.199132648988243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xdc12	data			1.0004615002307502
RT_GROUP_ICON	0xea510	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea588	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea59c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea5b0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea5c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea6a0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 12:16:33.011045933 CET	49716	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:33.011310101 CET	49717	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:16:33.011343956 CET	443	49717	35.190.72.216	192.168.2.6
Dec 13, 2024 12:16:33.011627913 CET	49717	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:16:33.017093897 CET	49717	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:16:33.017110109 CET	443	49717	35.190.72.216	192.168.2.6
Dec 13, 2024 12:16:33.017550945 CET	49718	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:33.017596006 CET	443	49718	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:33.017674923 CET	49719	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:33.017684937 CET	443	49719	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:33.017925978 CET	49718	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:33.018170118 CET	49719	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:33.019409895 CET	49718	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:33.019423962 CET	443	49718	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:33.020766020 CET	49719	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:33.020790100 CET	443	49719	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:33.091948986 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:33.091994047 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:33.092070103 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:33.092289925 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:33.092304945 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:33.093209982 CET	49721	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:33.093225002 CET	443	49721	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:33.093307972 CET	49721	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:33.094748020 CET	49721	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:33.094758987 CET	443	49721	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:33.144222975 CET	80	49716	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:33.144704103 CET	49716	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:33.145001888 CET	49716	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:33.211128950 CET	49722	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:33.211162090 CET	443	49722	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:33.217972040 CET	49722	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:33.220035076 CET	49722	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:33.220050097 CET	443	49722	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:33.404675007 CET	80	49716	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:33.890321970 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:33.890384912 CET	443	49723	34.160.144.191	192.168.2.6
Dec 13, 2024 12:16:33.890531063 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:33.890702963 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:33.890727043 CET	443	49723	34.160.144.191	192.168.2.6
Dec 13, 2024 12:16:34.547373056 CET	80	49716	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:34.559056044 CET	443	49717	35.190.72.216	192.168.2.6
Dec 13, 2024 12:16:34.563338041 CET	443	49717	35.190.72.216	192.168.2.6
Dec 13, 2024 12:16:34.563791990 CET	49717	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:16:34.604453087 CET	49716	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:34.605820894 CET	49717	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:16:34.605834007 CET	443	49717	35.190.72.216	192.168.2.6
Dec 13, 2024 12:16:34.605927944 CET	49717	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:16:34.606131077 CET	443	49717	35.190.72.216	192.168.2.6
Dec 13, 2024 12:16:34.607786894 CET	49717	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:16:34.632208109 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:34.635607958 CET	443	49721	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.639333963 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:34.643342018 CET	443	49721	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.644820929 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:34.651643991 CET	443	49722	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.651659966 CET	443	49722	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.664808035 CET	49721	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:34.664808035 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:34.671339989 CET	443	49722	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.683332920 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:34.683348894 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:34.683665991 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:34.684927940 CET	49722	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:34.725434065 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:34.766778946 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:34.766885996 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:34.767055988 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:34.781881094 CET	49721	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:34.781888962 CET	443	49721	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.781930923 CET	49721	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:34.782141924 CET	443	49721	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.786082029 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:34.786082029 CET	49721	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:34.792990923 CET	49722	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:34.792990923 CET	49722	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:34.793001890 CET	443	49722	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.793215036 CET	443	49722	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:34.803792953 CET	49722	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:34.941546917 CET	443	49718	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:34.941651106 CET	49718	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.942306042 CET	443	49719	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:34.942326069 CET	443	49718	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:34.942579031 CET	49718	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.942584991 CET	49719	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.943023920 CET	443	49719	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:34.943691015 CET	49719	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.948612928 CET	49718	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.948621035 CET	443	49718	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:34.948815107 CET	49718	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.948858023 CET	443	49718	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:34.948955059 CET	49718	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.949040890 CET	49719	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.949063063 CET	443	49719	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:34.949114084 CET	49719	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:34.949276924 CET	443	49719	142.250.181.78	192.168.2.6
Dec 13, 2024 12:16:34.949513912 CET	49719	443	192.168.2.6	142.250.181.78
Dec 13, 2024 12:16:35.176618099 CET	49716	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:35.243802071 CET	443	49723	34.160.144.191	192.168.2.6
Dec 13, 2024 12:16:35.243932962 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:35.247021914 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:35.247031927 CET	443	49723	34.160.144.191	192.168.2.6
Dec 13, 2024 12:16:35.247292995 CET	443	49723	34.160.144.191	192.168.2.6
Dec 13, 2024 12:16:35.249460936 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:35.249531984 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:35.249629974 CET	443	49723	34.160.144.191	192.168.2.6
Dec 13, 2024 12:16:35.254318953 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:35.254338026 CET	49723	443	192.168.2.6	34.160.144.191
Dec 13, 2024 12:16:35.301192045 CET	80	49716	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:35.301315069 CET	49716	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:35.380203009 CET	49726	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:35.380239010 CET	443	49726	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:35.380455017 CET	49726	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:35.381886005 CET	49726	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:35.381899118 CET	443	49726	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:35.518043995 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:35.518280983 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:35.638055086 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:35.638067007 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:35.647259951 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:35.647259951 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:35.647417068 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:35.647535086 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:35.767349958 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:35.767366886 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:36.014750957 CET	49734	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:36.014848948 CET	443	49734	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:36.024606943 CET	49734	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:36.026104927 CET	49734	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:36.026138067 CET	443	49734	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:36.605628014 CET	443	49726	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:36.605707884 CET	49726	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:36.610688925 CET	49726	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:36.610698938 CET	443	49726	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:36.610805988 CET	49726	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:36.610877991 CET	443	49726	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:36.611162901 CET	49735	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:36.611201048 CET	443	49735	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:36.613507986 CET	49726	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:36.613533974 CET	49735	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:36.626302958 CET	49735	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:36.626316071 CET	443	49735	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:36.627104044 CET	49736	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:36.627115011 CET	443	49736	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:36.629250050 CET	49736	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:36.630650043 CET	49736	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:36.630660057 CET	443	49736	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:36.632114887 CET	49737	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:16:36.632139921 CET	443	49737	34.149.100.209	192.168.2.6
Dec 13, 2024 12:16:36.635723114 CET	49737	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:16:36.637196064 CET	49737	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:16:36.637207985 CET	443	49737	34.149.100.209	192.168.2.6
Dec 13, 2024 12:16:37.039700985 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:37.039733887 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:37.094343901 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:37.094387054 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:37.241293907 CET	443	49734	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:37.241312981 CET	443	49734	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:37.248136997 CET	49734	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:37.267571926 CET	49734	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:37.267606974 CET	443	49734	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:37.267640114 CET	49734	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:37.268234015 CET	443	49734	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:37.275152922 CET	49734	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:38.145081997 CET	443	49737	34.149.100.209	192.168.2.6
Dec 13, 2024 12:16:38.145410061 CET	49737	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:16:38.148000956 CET	443	49735	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:38.148344040 CET	49735	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:38.151428938 CET	49737	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:16:38.151442051 CET	443	49737	34.149.100.209	192.168.2.6
Dec 13, 2024 12:16:38.151520967 CET	49737	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:16:38.152332067 CET	443	49737	34.149.100.209	192.168.2.6
Dec 13, 2024 12:16:38.152448893 CET	49737	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:16:38.153182983 CET	49735	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:38.153194904 CET	443	49735	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:38.153340101 CET	443	49735	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:38.153393030 CET	49735	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:38.153402090 CET	443	49735	34.117.188.166	192.168.2.6
Dec 13, 2024 12:16:38.153436899 CET	49735	443	192.168.2.6	34.117.188.166
Dec 13, 2024 12:16:38.153546095 CET	443	49736	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:38.153640032 CET	49736	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.158612013 CET	49736	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.158622026 CET	443	49736	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:38.158796072 CET	49736	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.158891916 CET	443	49736	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:38.159275055 CET	49736	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.867845058 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:38.884219885 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:38.892201900 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.892249107 CET	443	49744	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:38.892328978 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.892354012 CET	443	49745	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:38.892467976 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.892508984 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.892513990 CET	443	49744	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:38.892635107 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.892697096 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:38.892704010 CET	443	49745	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:38.987602949 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:39.003951073 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:39.182276964 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:39.199810982 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:39.232769012 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:39.248394012 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:39.887542963 CET	49746	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:39.887592077 CET	443	49746	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:39.887861013 CET	49747	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:39.887882948 CET	443	49747	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:39.899575949 CET	49746	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:39.899583101 CET	49747	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:39.900028944 CET	49746	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:39.900043011 CET	443	49746	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:39.901351929 CET	49747	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:39.901361942 CET	443	49747	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.104979992 CET	443	49744	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.106209993 CET	443	49745	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.109236956 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.109332085 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.112721920 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.112742901 CET	443	49744	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.113039017 CET	443	49744	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.115310907 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.115328074 CET	443	49745	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.115596056 CET	443	49745	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.117813110 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.117813110 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.117896080 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.118027925 CET	443	49744	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.118045092 CET	443	49745	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.118067026 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.118072987 CET	443	49745	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:40.118172884 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.118172884 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.118191004 CET	49744	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.118196011 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:40.118196011 CET	49745	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:41.118709087 CET	443	49746	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:41.118757963 CET	443	49746	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:41.118818998 CET	49746	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:41.121242046 CET	443	49747	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:41.121296883 CET	443	49747	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:41.122113943 CET	49746	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:41.122128010 CET	443	49746	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:41.122539043 CET	443	49746	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:41.125633001 CET	49747	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:41.130404949 CET	49746	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:41.130486012 CET	49746	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:41.130598068 CET	49747	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:41.130610943 CET	443	49747	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:41.130659103 CET	49747	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:41.130825996 CET	443	49746	35.244.181.201	192.168.2.6
Dec 13, 2024 12:16:41.131030083 CET	49746	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:16:41.131237984 CET	443	49747	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:41.131334066 CET	49747	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:44.242381096 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:44.265703917 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:44.268877983 CET	49762	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:44.268929958 CET	443	49762	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:44.279001951 CET	49762	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:44.280354023 CET	49762	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:44.280375004 CET	443	49762	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:44.362135887 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:44.385894060 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:44.395335913 CET	49763	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:44.395374060 CET	443	49763	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:44.406542063 CET	49763	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:44.410415888 CET	49763	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:44.410440922 CET	443	49763	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:44.557770014 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:44.580893040 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:44.602085114 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:44.627649069 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:44.791851997 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:44.911741018 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:45.107290030 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:45.176048040 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:45.495349884 CET	443	49762	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:45.495395899 CET	443	49762	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:45.495461941 CET	49762	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:45.546035051 CET	49762	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:45.580198050 CET	49762	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:45.580226898 CET	443	49762	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:45.580322027 CET	49762	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:45.580804110 CET	443	49762	34.120.208.123	192.168.2.6
Dec 13, 2024 12:16:45.580924034 CET	49762	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:16:45.648325920 CET	443	49763	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:45.648344040 CET	443	49763	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:45.648482084 CET	49763	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:45.696134090 CET	49763	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:45.696156025 CET	443	49763	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:45.696208954 CET	49763	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:45.697113037 CET	443	49763	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:45.697237015 CET	49763	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:46.708792925 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:46.828628063 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:47.023686886 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:47.066037893 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:47.151657104 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:47.271521091 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:47.466306925 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:47.514096022 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:57.032192945 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:57.107777119 CET	49794	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:57.107817888 CET	443	49794	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:57.108114958 CET	49794	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:57.109656096 CET	49794	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:57.109668016 CET	443	49794	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:57.191868067 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:57.486820936 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:57.606873989 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:58.372648954 CET	443	49794	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:58.372750998 CET	49794	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:58.378621101 CET	49794	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:58.378621101 CET	49794	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:58.378643990 CET	443	49794	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:58.379174948 CET	443	49794	34.107.243.93	192.168.2.6
Dec 13, 2024 12:16:58.381289959 CET	49794	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:16:58.381856918 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:58.501874924 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:58.697035074 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:58.710794926 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:58.752923012 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:16:58.830792904 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:59.025660992 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:16:59.069418907 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:00.252571106 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:00.252624035 CET	443	49804	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:00.256092072 CET	49805	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:17:00.256135941 CET	443	49805	35.190.72.216	192.168.2.6
Dec 13, 2024 12:17:00.257376909 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:00.257428885 CET	49805	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:17:00.257545948 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:00.257558107 CET	443	49804	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:00.259139061 CET	49805	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:17:00.259160042 CET	443	49805	35.190.72.216	192.168.2.6
Dec 13, 2024 12:17:00.374094963 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:00.374125957 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:00.374388933 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:00.374388933 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:00.374417067 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:00.388575077 CET	49807	443	192.168.2.6	151.101.1.91
Dec 13, 2024 12:17:00.388619900 CET	443	49807	151.101.1.91	192.168.2.6
Dec 13, 2024 12:17:00.389056921 CET	49807	443	192.168.2.6	151.101.1.91
Dec 13, 2024 12:17:00.389338017 CET	49807	443	192.168.2.6	151.101.1.91
Dec 13, 2024 12:17:00.389350891 CET	443	49807	151.101.1.91	192.168.2.6
Dec 13, 2024 12:17:00.407207966 CET	49808	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:17:00.407242060 CET	443	49808	35.201.103.21	192.168.2.6
Dec 13, 2024 12:17:00.407356024 CET	49808	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:17:00.408790112 CET	49808	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:17:00.408799887 CET	443	49808	35.201.103.21	192.168.2.6
Dec 13, 2024 12:17:01.475516081 CET	443	49804	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:01.476887941 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.478514910 CET	443	49805	35.190.72.216	192.168.2.6
Dec 13, 2024 12:17:01.480053902 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.480070114 CET	443	49804	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:01.480479002 CET	443	49804	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:01.481944084 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.482049942 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.482131958 CET	443	49804	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:01.486032963 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:01.486906052 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.486923933 CET	49804	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.486923933 CET	49805	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:17:01.490578890 CET	49805	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:17:01.490592003 CET	443	49805	35.190.72.216	192.168.2.6
Dec 13, 2024 12:17:01.490648985 CET	49805	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:17:01.490983963 CET	443	49805	35.190.72.216	192.168.2.6
Dec 13, 2024 12:17:01.491071939 CET	49805	443	192.168.2.6	35.190.72.216
Dec 13, 2024 12:17:01.583770990 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.583844900 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.587049007 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.587054968 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.587302923 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.589591026 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.589694977 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.589744091 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.590363979 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.603071928 CET	443	49807	151.101.1.91	192.168.2.6
Dec 13, 2024 12:17:01.603135109 CET	49807	443	192.168.2.6	151.101.1.91
Dec 13, 2024 12:17:01.606210947 CET	49807	443	192.168.2.6	151.101.1.91
Dec 13, 2024 12:17:01.606223106 CET	443	49807	151.101.1.91	192.168.2.6
Dec 13, 2024 12:17:01.606432915 CET	443	49807	151.101.1.91	192.168.2.6
Dec 13, 2024 12:17:01.608341932 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:01.609242916 CET	49807	443	192.168.2.6	151.101.1.91
Dec 13, 2024 12:17:01.609333038 CET	49807	443	192.168.2.6	151.101.1.91
Dec 13, 2024 12:17:01.609453917 CET	443	49807	151.101.1.91	192.168.2.6
Dec 13, 2024 12:17:01.614598989 CET	49807	443	192.168.2.6	151.101.1.91
Dec 13, 2024 12:17:01.618385077 CET	49810	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.618432045 CET	443	49810	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.619173050 CET	49810	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.619173050 CET	49810	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.619200945 CET	443	49810	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.619558096 CET	49811	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.619659901 CET	443	49811	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.619889021 CET	49811	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.619963884 CET	49811	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.619986057 CET	443	49811	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.621592045 CET	49812	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.621632099 CET	443	49812	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.621767998 CET	49812	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.622118950 CET	49812	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:01.622145891 CET	443	49812	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:01.631568909 CET	443	49808	35.201.103.21	192.168.2.6
Dec 13, 2024 12:17:01.631757021 CET	49808	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:17:01.636578083 CET	49808	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:17:01.636590004 CET	443	49808	35.201.103.21	192.168.2.6
Dec 13, 2024 12:17:01.636713982 CET	49808	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:17:01.636914015 CET	443	49808	35.201.103.21	192.168.2.6
Dec 13, 2024 12:17:01.637161016 CET	49808	443	192.168.2.6	35.201.103.21
Dec 13, 2024 12:17:01.650084972 CET	49813	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.650130033 CET	443	49813	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:01.657241106 CET	49813	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.657335043 CET	49813	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:01.657344103 CET	443	49813	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:01.803437948 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:01.807446957 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:01.846409082 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:01.927191973 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:02.121932983 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:02.162914038 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:02.834284067 CET	443	49811	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.834398985 CET	49811	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.835851908 CET	443	49812	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.835975885 CET	49812	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.837460041 CET	49811	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.837491989 CET	443	49811	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.837809086 CET	443	49811	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.839312077 CET	443	49810	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.840243101 CET	49812	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.840264082 CET	443	49812	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.840413094 CET	49810	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.840572119 CET	443	49812	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.842958927 CET	49810	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.842978001 CET	443	49810	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.843516111 CET	443	49810	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.846645117 CET	49811	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.846880913 CET	49811	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.847150087 CET	443	49811	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.847536087 CET	49812	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.847598076 CET	49812	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.847702026 CET	443	49812	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.848356009 CET	49810	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.848429918 CET	49810	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.848783016 CET	443	49810	35.244.181.201	192.168.2.6
Dec 13, 2024 12:17:02.849448919 CET	49811	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.849545002 CET	49812	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.849544048 CET	49810	443	192.168.2.6	35.244.181.201
Dec 13, 2024 12:17:02.853230000 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:02.876930952 CET	443	49813	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:02.876944065 CET	443	49813	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:02.877058029 CET	49813	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:02.880409002 CET	49813	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:02.880440950 CET	443	49813	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:02.880767107 CET	443	49813	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:02.882946014 CET	49813	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:02.882989883 CET	49813	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:02.883212090 CET	443	49813	34.149.100.209	192.168.2.6
Dec 13, 2024 12:17:02.890414000 CET	49813	443	192.168.2.6	34.149.100.209
Dec 13, 2024 12:17:02.973431110 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:03.168898106 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:03.172327042 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:03.219317913 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:03.292162895 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:03.487009048 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:03.535828114 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:13.179991007 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:13.299639940 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:13.496573925 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:13.616406918 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:18.663563967 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:18.716161966 CET	49857	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:17:18.716212034 CET	443	49857	34.107.243.93	192.168.2.6
Dec 13, 2024 12:17:18.716553926 CET	49857	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:17:18.717734098 CET	49857	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:17:18.717760086 CET	443	49857	34.107.243.93	192.168.2.6
Dec 13, 2024 12:17:18.783247948 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:18.978940964 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:18.981947899 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:19.028419018 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:19.102042913 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:19.296586990 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:19.351480007 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:19.931838989 CET	443	49857	34.107.243.93	192.168.2.6
Dec 13, 2024 12:17:19.932215929 CET	49857	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:17:19.935802937 CET	49857	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:17:19.935831070 CET	443	49857	34.107.243.93	192.168.2.6
Dec 13, 2024 12:17:19.935890913 CET	49857	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:17:19.935983896 CET	443	49857	34.107.243.93	192.168.2.6
Dec 13, 2024 12:17:19.938059092 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:19.939349890 CET	49857	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:17:20.058023930 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:20.261432886 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:20.264431953 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:20.316670895 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:20.384571075 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:20.579272985 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:20.633173943 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:30.261528969 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:30.382038116 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:30.423336983 CET	49885	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.423376083 CET	443	49885	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.423491001 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.423518896 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.423615932 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.423624992 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.423737049 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.423763990 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.423858881 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.423893929 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.423969984 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.423976898 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.430912018 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.430915117 CET	49885	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431094885 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431094885 CET	49885	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431097031 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431097031 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431097031 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431116104 CET	443	49885	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.431210995 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431221962 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.431283951 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431299925 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.431348085 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431358099 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.431410074 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431420088 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.431472063 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:30.431480885 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:30.584614038 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:30.704607010 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:31.643642902 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.643666983 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.643719912 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.646884918 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.646897078 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.647190094 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.647845030 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.647861004 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.648003101 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.648050070 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.648063898 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.648298025 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.648993015 CET	443	49885	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.649007082 CET	443	49885	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.650051117 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.650069952 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.650468111 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.650476933 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.650706053 CET	49885	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.650758028 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.650788069 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.650799036 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.650820971 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.650846004 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.653168917 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.653183937 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.653474092 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.655414104 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.655440092 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.655864000 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.657675028 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.657685041 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.657943010 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.659806013 CET	49885	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.659828901 CET	443	49885	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.660123110 CET	443	49885	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.662486076 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.662672997 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.662734032 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.662923098 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.662936926 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.664119959 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.664139032 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.664660931 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.666143894 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.666152000 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.668754101 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.668929100 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.669140100 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.669147968 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.669219017 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.669250965 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.669392109 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.669426918 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.669430017 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.669442892 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.669787884 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.669810057 CET	49897	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.669920921 CET	443	49897	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.670233965 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.670334101 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.670368910 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.671222925 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.671237946 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.671241999 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.671274900 CET	49897	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.671441078 CET	49897	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.671468973 CET	443	49897	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.671610117 CET	49885	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.671781063 CET	49885	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.671822071 CET	443	49885	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:31.672764063 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.672805071 CET	49885	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:31.674787998 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:31.794660091 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:31.990003109 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:31.993114948 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:32.034549952 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:32.113097906 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:32.308101892 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:32.351061106 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:32.876518011 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:32.876581907 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.879764080 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.879770994 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:32.880781889 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:32.882426023 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.882550001 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.882859945 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:32.883968115 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.885467052 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:32.886768103 CET	443	49897	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:32.886892080 CET	49897	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.889717102 CET	49897	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.889741898 CET	443	49897	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:32.890041113 CET	443	49897	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:32.892276049 CET	49897	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.892357111 CET	49897	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:32.892431974 CET	443	49897	34.120.208.123	192.168.2.6
Dec 13, 2024 12:17:32.893183947 CET	49897	443	192.168.2.6	34.120.208.123
Dec 13, 2024 12:17:33.005203962 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:33.200570107 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:33.203630924 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:33.253870964 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:33.324841022 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:33.518409967 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:33.570391893 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:43.213521957 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:43.333355904 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:43.530021906 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:43.649903059 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:53.343857050 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:53.463757992 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:17:53.660217047 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:17:53.779972076 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:00.088191986 CET	49963	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:18:00.088222027 CET	443	49963	34.107.243.93	192.168.2.6
Dec 13, 2024 12:18:00.088990927 CET	49963	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:18:00.091084003 CET	49963	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:18:00.091097116 CET	443	49963	34.107.243.93	192.168.2.6
Dec 13, 2024 12:18:01.310336113 CET	443	49963	34.107.243.93	192.168.2.6
Dec 13, 2024 12:18:01.312812090 CET	49963	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:18:01.316962957 CET	49963	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:18:01.316977024 CET	443	49963	34.107.243.93	192.168.2.6
Dec 13, 2024 12:18:01.317051888 CET	49963	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:18:01.317387104 CET	443	49963	34.107.243.93	192.168.2.6
Dec 13, 2024 12:18:01.317663908 CET	49963	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:18:01.319871902 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:01.439697981 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:01.634980917 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:01.643398046 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:01.683186054 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:01.763164043 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:01.958499908 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:02.021794081 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:11.649924994 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:11.769702911 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:11.982028961 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:12.101936102 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:21.771528959 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:21.891268969 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:22.103790045 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:22.223891973 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:31.901787996 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:32.021548033 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:32.233874083 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:32.353729010 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:42.032172918 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:42.152373075 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:42.363459110 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:42.483372927 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:52.161151886 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:52.282686949 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:18:52.493299961 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:18:52.615901947 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:02.291778088 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:02.411725044 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:02.623976946 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:02.743839025 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:12.421015024 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:12.540740967 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:12.753134966 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:12.872904062 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:21.930264950 CET	50039	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:19:21.930306911 CET	443	50039	34.107.243.93	192.168.2.6
Dec 13, 2024 12:19:21.930651903 CET	50039	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:19:21.932286024 CET	50039	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:19:21.932301998 CET	443	50039	34.107.243.93	192.168.2.6
Dec 13, 2024 12:19:22.551035881 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:22.731089115 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:22.883261919 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:23.003284931 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:23.194247961 CET	443	50039	34.107.243.93	192.168.2.6
Dec 13, 2024 12:19:23.194380999 CET	50039	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:19:23.200628996 CET	50039	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:19:23.200648069 CET	443	50039	34.107.243.93	192.168.2.6
Dec 13, 2024 12:19:23.200740099 CET	50039	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:19:23.200788021 CET	443	50039	34.107.243.93	192.168.2.6
Dec 13, 2024 12:19:23.200860977 CET	50039	443	192.168.2.6	34.107.243.93
Dec 13, 2024 12:19:23.203552008 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:23.323971987 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:23.519457102 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:23.523217916 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:23.569782019 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:23.643170118 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:23.839392900 CET	80	49727	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:23.885926008 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:33.532804012 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:33.654299021 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 12:19:33.849376917 CET	49727	80	192.168.2.6	34.107.221.82
Dec 13, 2024 12:19:33.969342947 CET	80	49727	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 12:16:32.836865902 CET	57926	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:32.837872982 CET	58731	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:32.951297045 CET	57986	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:32.993041039 CET	52176	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.009563923 CET	53	58731	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.011487007 CET	50808	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.011815071 CET	50025	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.012586117 CET	53609	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.092356920 CET	53	57986	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.145888090 CET	53	52176	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.170977116 CET	53	50808	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.171011925 CET	53	50025	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.171024084 CET	53	53609	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.171714067 CET	51771	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.172101021 CET	64790	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.172346115 CET	60956	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.450790882 CET	53	60956	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.452431917 CET	53	51771	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.453489065 CET	64869	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.453964949 CET	54714	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.453979015 CET	53	64790	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.454551935 CET	53310	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.559581995 CET	50412	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.810122013 CET	53	64869	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.810136080 CET	53	54714	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.811527967 CET	55740	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.811527967 CET	50603	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.811916113 CET	53	53310	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:33.812515020 CET	52316	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:33.889111996 CET	53	50412	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:34.013890982 CET	51644	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:34.076060057 CET	53	55740	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:34.076956034 CET	53	50603	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:34.077876091 CET	53	52316	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:34.085455894 CET	50207	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:34.378118038 CET	53	50207	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:34.380820990 CET	62713	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:34.632606030 CET	53	62713	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:35.066548109 CET	53	65226	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:35.175323963 CET	57285	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:35.176021099 CET	64514	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:35.317054033 CET	53	57285	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:35.320833921 CET	53	64514	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:35.377826929 CET	52059	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:35.491939068 CET	49173	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:35.629762888 CET	53	49173	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:35.647067070 CET	50300	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:35.784454107 CET	53	50300	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:35.789549112 CET	64065	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:35.927769899 CET	53	64065	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:36.485322952 CET	57950	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:36.623380899 CET	53	57950	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:36.628042936 CET	53885	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:36.636097908 CET	64212	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:37.041421890 CET	53	53885	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:37.041449070 CET	53	64212	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:37.042176008 CET	54699	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:37.042583942 CET	54375	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:37.179694891 CET	53	54699	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:37.179847956 CET	53	54375	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:38.862168074 CET	60480	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:38.863588095 CET	63436	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:39.000363111 CET	53	60480	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:39.001821041 CET	53	63436	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:39.002712965 CET	49934	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:39.142375946 CET	53	49934	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:39.884813070 CET	63158	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:40.025407076 CET	53	63158	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:40.027632952 CET	61055	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:40.166414022 CET	53	61055	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:44.246206045 CET	61074	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:44.274331093 CET	54044	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:44.383816004 CET	53	61074	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:44.411659956 CET	53	54044	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:44.411921978 CET	62404	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:44.549453020 CET	53	62404	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:48.824603081 CET	61175	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:48.824877024 CET	58540	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:48.825134039 CET	60285	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:48.961818933 CET	53	61175	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:48.962296963 CET	53	58540	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:48.963016987 CET	53	60285	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:49.839142084 CET	60397	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:49.839142084 CET	59115	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:49.839518070 CET	56991	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:49.976545095 CET	53	60397	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:49.977365017 CET	53361	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:49.977582932 CET	53	56991	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:49.978255033 CET	57593	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:50.058788061 CET	53	59115	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:50.059637070 CET	57034	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:50.114717960 CET	53	53361	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:50.116167068 CET	53	57593	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:50.283590078 CET	53	57034	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:50.750598907 CET	60698	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:50.750598907 CET	52356	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:50.887602091 CET	53	60698	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:50.888670921 CET	52276	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:50.890723944 CET	53	52356	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:50.891588926 CET	57139	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:51.026427984 CET	53	52276	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:51.027108908 CET	61246	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:51.028945923 CET	53	57139	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:51.029521942 CET	59811	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:51.164216042 CET	53	61246	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:51.246400118 CET	53	59811	1.1.1.1	192.168.2.6
Dec 13, 2024 12:16:57.107610941 CET	55926	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:16:57.290507078 CET	53	55926	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.249289989 CET	52662	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.253232956 CET	57307	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.262015104 CET	51160	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.373434067 CET	63953	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.387554884 CET	53	52662	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.388958931 CET	57844	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.391727924 CET	53	57307	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.392286062 CET	65040	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.406266928 CET	53	51160	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.511259079 CET	53	63953	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.512772083 CET	50379	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.527194023 CET	53	57844	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.529668093 CET	53	65040	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.531188965 CET	65448	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.654593945 CET	53	50379	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.655347109 CET	55369	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:00.669492006 CET	53	65448	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:00.792738914 CET	53	55369	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:18.663860083 CET	59582	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:18.716509104 CET	53030	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:18.854551077 CET	53	53030	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:30.437762976 CET	56633	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:30.575340986 CET	53	56633	1.1.1.1	192.168.2.6
Dec 13, 2024 12:17:31.674854994 CET	62817	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:17:59.949629068 CET	53582	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:18:00.087064981 CET	53	53582	1.1.1.1	192.168.2.6
Dec 13, 2024 12:18:00.088757992 CET	51412	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:18:00.226134062 CET	53	51412	1.1.1.1	192.168.2.6
Dec 13, 2024 12:19:21.504853964 CET	55570	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:19:21.777410984 CET	53	55570	1.1.1.1	192.168.2.6
Dec 13, 2024 12:19:21.778862000 CET	50119	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:19:21.923841953 CET	53	50119	1.1.1.1	192.168.2.6
Dec 13, 2024 12:19:21.929507971 CET	55561	53	192.168.2.6	1.1.1.1
Dec 13, 2024 12:19:22.121885061 CET	53	55561	1.1.1.1	192.168.2.6
Dec 13, 2024 12:19:23.203808069 CET	65248	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 12:16:32.836865902 CET	192.168.2.6	1.1.1.1	0x6f6e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:32.837872982 CET	192.168.2.6	1.1.1.1	0xbbae	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:32.951297045 CET	192.168.2.6	1.1.1.1	0x50ae	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:32.993041039 CET	192.168.2.6	1.1.1.1	0xf539	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.011487007 CET	192.168.2.6	1.1.1.1	0x532d	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.011815071 CET	192.168.2.6	1.1.1.1	0x4f9a	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.012586117 CET	192.168.2.6	1.1.1.1	0x673	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.171714067 CET	192.168.2.6	1.1.1.1	0xc0bb	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:33.172101021 CET	192.168.2.6	1.1.1.1	0xe727	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:33.172346115 CET	192.168.2.6	1.1.1.1	0xcac8	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:33.453489065 CET	192.168.2.6	1.1.1.1	0x1d29	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.453964949 CET	192.168.2.6	1.1.1.1	0x2d99	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.454551935 CET	192.168.2.6	1.1.1.1	0x905f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.559581995 CET	192.168.2.6	1.1.1.1	0x35f9	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.811527967 CET	192.168.2.6	1.1.1.1	0x612c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:33.811527967 CET	192.168.2.6	1.1.1.1	0xbc1f	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:33.812515020 CET	192.168.2.6	1.1.1.1	0xdea1	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:34.013890982 CET	192.168.2.6	1.1.1.1	0x8c3f	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:34.085455894 CET	192.168.2.6	1.1.1.1	0x2182	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:34.380820990 CET	192.168.2.6	1.1.1.1	0xd4e3	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:35.175323963 CET	192.168.2.6	1.1.1.1	0x81b3	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.176021099 CET	192.168.2.6	1.1.1.1	0xe939	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.377826929 CET	192.168.2.6	1.1.1.1	0x5961	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.491939068 CET	192.168.2.6	1.1.1.1	0x12e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.647067070 CET	192.168.2.6	1.1.1.1	0x7e6d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.789549112 CET	192.168.2.6	1.1.1.1	0x9ce2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:36.485322952 CET	192.168.2.6	1.1.1.1	0x6e63	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:36.628042936 CET	192.168.2.6	1.1.1.1	0x4a92	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:36.636097908 CET	192.168.2.6	1.1.1.1	0xd816	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:37.042176008 CET	192.168.2.6	1.1.1.1	0xdf20	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:37.042583942 CET	192.168.2.6	1.1.1.1	0x903f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:38.862168074 CET	192.168.2.6	1.1.1.1	0x1f1c	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:38.863588095 CET	192.168.2.6	1.1.1.1	0xe3c5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:39.002712965 CET	192.168.2.6	1.1.1.1	0x7c4	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:39.884813070 CET	192.168.2.6	1.1.1.1	0x4436	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:40.027632952 CET	192.168.2.6	1.1.1.1	0x2d7a	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:44.246206045 CET	192.168.2.6	1.1.1.1	0xa4a0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:44.274331093 CET	192.168.2.6	1.1.1.1	0x1ec4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:44.411921978 CET	192.168.2.6	1.1.1.1	0x46e9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:48.824603081 CET	192.168.2.6	1.1.1.1	0xfdcd	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.824877024 CET	192.168.2.6	1.1.1.1	0xc35f	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.825134039 CET	192.168.2.6	1.1.1.1	0x43b6	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.839142084 CET	192.168.2.6	1.1.1.1	0xb1b3	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.839142084 CET	192.168.2.6	1.1.1.1	0xb779	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.839518070 CET	192.168.2.6	1.1.1.1	0xe1ff	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.977365017 CET	192.168.2.6	1.1.1.1	0x9f3f	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:49.978255033 CET	192.168.2.6	1.1.1.1	0x9a1	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:50.059637070 CET	192.168.2.6	1.1.1.1	0xac98	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 12:16:50.750598907 CET	192.168.2.6	1.1.1.1	0x7252	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.750598907 CET	192.168.2.6	1.1.1.1	0xfeb3	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.888670921 CET	192.168.2.6	1.1.1.1	0xa819	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.891588926 CET	192.168.2.6	1.1.1.1	0x7af2	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:51.027108908 CET	192.168.2.6	1.1.1.1	0x6c9b	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 12:16:51.029521942 CET	192.168.2.6	1.1.1.1	0x632c	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 12:16:57.107610941 CET	192.168.2.6	1.1.1.1	0x43c3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:17:00.249289989 CET	192.168.2.6	1.1.1.1	0xba2	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.253232956 CET	192.168.2.6	1.1.1.1	0xe1fd	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.262015104 CET	192.168.2.6	1.1.1.1	0xddcc	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.373434067 CET	192.168.2.6	1.1.1.1	0x6a67	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:17:00.388958931 CET	192.168.2.6	1.1.1.1	0xd1c8	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.392286062 CET	192.168.2.6	1.1.1.1	0xd438	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 12:17:00.512772083 CET	192.168.2.6	1.1.1.1	0xe20c	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.531188965 CET	192.168.2.6	1.1.1.1	0xe19b	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 12:17:00.655347109 CET	192.168.2.6	1.1.1.1	0xa580	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:17:18.663860083 CET	192.168.2.6	1.1.1.1	0xe1a9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:18.716509104 CET	192.168.2.6	1.1.1.1	0xb17	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:17:30.437762976 CET	192.168.2.6	1.1.1.1	0xdec3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:17:31.674854994 CET	192.168.2.6	1.1.1.1	0xbeae	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:59.949629068 CET	192.168.2.6	1.1.1.1	0x6992	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:18:00.088757992 CET	192.168.2.6	1.1.1.1	0xc9a5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:19:21.504853964 CET	192.168.2.6	1.1.1.1	0xe073	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:19:21.778862000 CET	192.168.2.6	1.1.1.1	0x6a9d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:19:21.929507971 CET	192.168.2.6	1.1.1.1	0xe8e9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 12:19:23.203808069 CET	192.168.2.6	1.1.1.1	0x13f7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 12:16:33.008730888 CET	1.1.1.1	192.168.2.6	0x6f6e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:33.008730888 CET	1.1.1.1	192.168.2.6	0x6f6e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.008826017 CET	1.1.1.1	192.168.2.6	0xc048	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.009563923 CET	1.1.1.1	192.168.2.6	0xbbae	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.090785027 CET	1.1.1.1	192.168.2.6	0x2492	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:33.090785027 CET	1.1.1.1	192.168.2.6	0x2492	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.092356920 CET	1.1.1.1	192.168.2.6	0x50ae	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.145888090 CET	1.1.1.1	192.168.2.6	0xf539	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:33.145888090 CET	1.1.1.1	192.168.2.6	0xf539	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.170977116 CET	1.1.1.1	192.168.2.6	0x532d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.171011925 CET	1.1.1.1	192.168.2.6	0x4f9a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.171024084 CET	1.1.1.1	192.168.2.6	0x673	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.450790882 CET	1.1.1.1	192.168.2.6	0xcac8	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 12:16:33.452431917 CET	1.1.1.1	192.168.2.6	0xc0bb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 12:16:33.810122013 CET	1.1.1.1	192.168.2.6	0x1d29	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.810136080 CET	1.1.1.1	192.168.2.6	0x2d99	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.811916113 CET	1.1.1.1	192.168.2.6	0x905f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:33.889111996 CET	1.1.1.1	192.168.2.6	0x35f9	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:33.889111996 CET	1.1.1.1	192.168.2.6	0x35f9	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:33.889111996 CET	1.1.1.1	192.168.2.6	0x35f9	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:34.378118038 CET	1.1.1.1	192.168.2.6	0x2182	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:34.388175964 CET	1.1.1.1	192.168.2.6	0x8c3f	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:34.632606030 CET	1.1.1.1	192.168.2.6	0xd4e3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 12:16:35.317054033 CET	1.1.1.1	192.168.2.6	0x81b3	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.320833921 CET	1.1.1.1	192.168.2.6	0xe939	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.320833921 CET	1.1.1.1	192.168.2.6	0xe939	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.517102957 CET	1.1.1.1	192.168.2.6	0x5961	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:35.517102957 CET	1.1.1.1	192.168.2.6	0x5961	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.629762888 CET	1.1.1.1	192.168.2.6	0x12e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:35.784454107 CET	1.1.1.1	192.168.2.6	0x7e6d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:36.610492945 CET	1.1.1.1	192.168.2.6	0x7272	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:36.623380899 CET	1.1.1.1	192.168.2.6	0x6e63	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:36.623380899 CET	1.1.1.1	192.168.2.6	0x6e63	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:37.041421890 CET	1.1.1.1	192.168.2.6	0x4a92	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:37.041449070 CET	1.1.1.1	192.168.2.6	0xd816	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:38.992392063 CET	1.1.1.1	192.168.2.6	0x6485	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:38.992392063 CET	1.1.1.1	192.168.2.6	0x6485	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:39.000363111 CET	1.1.1.1	192.168.2.6	0x1f1c	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:39.000363111 CET	1.1.1.1	192.168.2.6	0x1f1c	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:39.000363111 CET	1.1.1.1	192.168.2.6	0x1f1c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:39.001821041 CET	1.1.1.1	192.168.2.6	0xe3c5	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:39.030818939 CET	1.1.1.1	192.168.2.6	0xd4ad	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:40.025407076 CET	1.1.1.1	192.168.2.6	0x4436	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:44.383816004 CET	1.1.1.1	192.168.2.6	0xa4a0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.961818933 CET	1.1.1.1	192.168.2.6	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.962296963 CET	1.1.1.1	192.168.2.6	0xc35f	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:48.962296963 CET	1.1.1.1	192.168.2.6	0xc35f	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:48.963016987 CET	1.1.1.1	192.168.2.6	0x43b6	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:48.963016987 CET	1.1.1.1	192.168.2.6	0x43b6	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.976545095 CET	1.1.1.1	192.168.2.6	0xb1b3	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:49.977582932 CET	1.1.1.1	192.168.2.6	0xe1ff	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.058788061 CET	1.1.1.1	192.168.2.6	0xb779	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.114717960 CET	1.1.1.1	192.168.2.6	0x9f3f	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 12:16:50.114717960 CET	1.1.1.1	192.168.2.6	0x9f3f	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 12:16:50.114717960 CET	1.1.1.1	192.168.2.6	0x9f3f	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 12:16:50.114717960 CET	1.1.1.1	192.168.2.6	0x9f3f	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 12:16:50.116167068 CET	1.1.1.1	192.168.2.6	0x9a1	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 12:16:50.283590078 CET	1.1.1.1	192.168.2.6	0xac98	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 12:16:50.887602091 CET	1.1.1.1	192.168.2.6	0x7252	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.890723944 CET	1.1.1.1	192.168.2.6	0xfeb3	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:16:50.890723944 CET	1.1.1.1	192.168.2.6	0xfeb3	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.890723944 CET	1.1.1.1	192.168.2.6	0xfeb3	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.890723944 CET	1.1.1.1	192.168.2.6	0xfeb3	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:50.890723944 CET	1.1.1.1	192.168.2.6	0xfeb3	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:51.026427984 CET	1.1.1.1	192.168.2.6	0xa819	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:51.028945923 CET	1.1.1.1	192.168.2.6	0x7af2	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:51.028945923 CET	1.1.1.1	192.168.2.6	0x7af2	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:51.028945923 CET	1.1.1.1	192.168.2.6	0x7af2	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:16:51.028945923 CET	1.1.1.1	192.168.2.6	0x7af2	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.371915102 CET	1.1.1.1	192.168.2.6	0x7493	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:17:00.371915102 CET	1.1.1.1	192.168.2.6	0x7493	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.387554884 CET	1.1.1.1	192.168.2.6	0xba2	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.387554884 CET	1.1.1.1	192.168.2.6	0xba2	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.387554884 CET	1.1.1.1	192.168.2.6	0xba2	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.387554884 CET	1.1.1.1	192.168.2.6	0xba2	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.391727924 CET	1.1.1.1	192.168.2.6	0xe1fd	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.406266928 CET	1.1.1.1	192.168.2.6	0xddcc	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:17:00.406266928 CET	1.1.1.1	192.168.2.6	0xddcc	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.527194023 CET	1.1.1.1	192.168.2.6	0xd1c8	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.527194023 CET	1.1.1.1	192.168.2.6	0xd1c8	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.527194023 CET	1.1.1.1	192.168.2.6	0xd1c8	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.527194023 CET	1.1.1.1	192.168.2.6	0xd1c8	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.654593945 CET	1.1.1.1	192.168.2.6	0xe20c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:00.669492006 CET	1.1.1.1	192.168.2.6	0xe19b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 12:17:00.669492006 CET	1.1.1.1	192.168.2.6	0xe19b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 12:17:00.669492006 CET	1.1.1.1	192.168.2.6	0xe19b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 12:17:00.669492006 CET	1.1.1.1	192.168.2.6	0xe19b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 12:17:03.377007961 CET	1.1.1.1	192.168.2.6	0x29ed	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:17:03.377007961 CET	1.1.1.1	192.168.2.6	0x29ed	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:17:18.801374912 CET	1.1.1.1	192.168.2.6	0xe1a9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:17:18.801374912 CET	1.1.1.1	192.168.2.6	0xe1a9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:30.421834946 CET	1.1.1.1	192.168.2.6	0xda7c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:17:31.813703060 CET	1.1.1.1	192.168.2.6	0xbeae	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:17:31.813703060 CET	1.1.1.1	192.168.2.6	0xbeae	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:18:00.087064981 CET	1.1.1.1	192.168.2.6	0x6992	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:19:21.777410984 CET	1.1.1.1	192.168.2.6	0xe073	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:19:21.923841953 CET	1.1.1.1	192.168.2.6	0x6a9d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:19:23.342087984 CET	1.1.1.1	192.168.2.6	0x13f7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:19:23.342087984 CET	1.1.1.1	192.168.2.6	0x13f7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	34.107.221.82	80	4780	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 12:16:33.145001888 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:16:34.547373056 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 86332 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49727	34.107.221.82	80	4780	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 12:16:35.647417068 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:16:37.039700985 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74336 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:16:38.867845058 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:16:39.182276964 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74339 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:16:44.242381096 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:16:44.557770014 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74344 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:16:44.791851997 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:16:45.107290030 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74344 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:16:47.151657104 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:16:47.466306925 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74347 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:16:57.486820936 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:16:58.710794926 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:16:59.025660992 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74358 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:17:01.807446957 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:17:02.121932983 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74361 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:17:03.172327042 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:17:03.487009048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74363 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:17:13.496573925 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:17:18.981947899 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:17:19.296586990 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74379 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:17:20.264431953 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:17:20.579272985 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74380 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:17:30.584614038 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:17:31.993114948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:17:32.308101892 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74392 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:17:33.203630924 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:17:33.518409967 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74393 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:17:43.530021906 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:17:53.660217047 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:01.643398046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:18:01.958499908 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74421 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 12:18:11.982028961 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:22.103790045 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:32.233874083 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:42.363459110 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:52.493299961 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:19:23.523217916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 12:19:23.839392900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 74503 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49728	34.107.221.82	80	4780	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 12:16:35.647535086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:16:37.039733887 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69850 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:16:38.884219885 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:16:39.199810982 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69853 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:16:44.265703917 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:16:44.580893040 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69858 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:16:46.708792925 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:16:47.023686886 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69860 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:16:57.032192945 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:16:58.381856918 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:16:58.697035074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69872 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:17:01.486032963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:17:01.803437948 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69875 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:17:02.853230000 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:17:03.168898106 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69877 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:17:13.179991007 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:17:18.663563967 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:17:18.978940964 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:17:19.938059092 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:17:20.261432886 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69894 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:17:30.261528969 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:17:31.674787998 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:17:31.990003109 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69905 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:17:32.885467052 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:17:33.200570107 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69907 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:17:43.213521957 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:17:53.343857050 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:01.319871902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:18:01.634980917 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 69935 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 12:18:11.649924994 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:21.771528959 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:31.901787996 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:42.032172918 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:18:52.161151886 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 12:19:23.203552008 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 12:19:23.519457102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 15:52:26 GMT Age: 70017 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	06:16:22
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x410000
File size:	972'288 bytes
MD5 hash:	5860A1BB4E76AF912BA6A63AC572F7F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:16:23
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xfb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:16:23
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:16:26
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xfb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:16:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:16:26
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xfb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:16:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:16:26
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xfb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:16:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:16:26
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xfb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:16:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:16:27
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:16:27
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:16:27
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:16:28
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2272 -parentBuildID 20230927232528 -prefsHandle 2220 -prefMapHandle 2216 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dede55c8-f234-419f-b22f-20f7e764d696} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2585d16d910 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	06:16:29
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3812 -parentBuildID 20230927232528 -prefsHandle 3828 -prefMapHandle 3840 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ee878f-6b8a-45b2-b47a-e105cf893977} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2585d188210 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	06:16:37
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4864 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da3b7b02-decf-4612-aa2a-065d83482b73} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 25875768b10 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.3%
Total number of Nodes:	1745
Total number of Limit Nodes:	56

Executed Functions

Function 004142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0041430D

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

GetCurrentProcess.KERNEL32(?,004ACB64,00000000,?,?), ref: 00414422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00414429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00414454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00414466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00414474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004144A0

Strings

|O, xrefs: 004536F8
kernel32.dll, xrefs: 0041444F
GetNativeSystemInfo, xrefs: 00414460

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: aaf28ca9ac9dff68355ec1cf01acc6150346ab212075de34b17506de4523a9e2
Instruction ID: 5bd0a10c115b8233cb2554a713b1d08cb2f7d6e949969e7e1139dd94e7fea33c
Opcode Fuzzy Hash: aaf28ca9ac9dff68355ec1cf01acc6150346ab212075de34b17506de4523a9e2
Instruction Fuzzy Hash: 6AA1C27198A2D0CFE711CB6978C05D97FA46B66741B0848FADC819BB33D2384959CB3E

Function 004142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004150AA,?,?,00000000,00000000), ref: 004142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004150AA,?,?,00000000,00000000), ref: 004142C9
LoadResource.KERNEL32(?,00000000,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20), ref: 004535BE
SizeofResource.KERNEL32(?,00000000,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20), ref: 004535D3
LockResource.KERNEL32(004150AA,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20,?), ref: 004535E6

Strings

SCRIPT, xrefs: 004142BF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 746cf777421605f4214d5d84872288f6da5fa601163c1849baf0c5c19e0d5c78
Instruction ID: 64b352aa6eec582408cddc42f2d7f946e43335457cb45514df6342ae0d7497fa
Opcode Fuzzy Hash: 746cf777421605f4214d5d84872288f6da5fa601163c1849baf0c5c19e0d5c78
Instruction Fuzzy Hash: 4E118E71600700BFD7218B65DC88FA77BBAEBC6B91F2041AEF402D6290DB71DC408675

Function 00452BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00412B6B

Part of subcall function 00413A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004E1418,?,00412E7F,?,?,?,00000000), ref: 00413A78

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004D2224), ref: 00452C10
ShellExecuteW.SHELL32(00000000,?,?,004D2224), ref: 00452C17

Strings

runas, xrefs: 00452C0B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: adc9694af30804778cb0f32cd20c049f26a85de0057f438f61f20be7b8d1c523
Instruction ID: ad4ded320dad4d48f974248dad2d2636c224a195f8523edf24c567d04a517595
Opcode Fuzzy Hash: adc9694af30804778cb0f32cd20c049f26a85de0057f438f61f20be7b8d1c523
Instruction Fuzzy Hash: B411D2312483456AC704FF21D9A19FE7BA4AB9175AF04142FF582421A3CF7C9A9AC71E

Function 0047D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047D501
Process32FirstW.KERNEL32(00000000,?), ref: 0047D50F
Process32NextW.KERNEL32(00000000,?), ref: 0047D52F
CloseHandle.KERNEL32(00000000), ref: 0047D5DC

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ae6df1fc43c79cceca9ac8620771c9b993d029c47febd1ffbe75dfa978aa0795
Instruction ID: f94cc9343f9b6e6d5958c8450b0b2dfa4962ca403455e7102376e4fbd1840aad
Opcode Fuzzy Hash: ae6df1fc43c79cceca9ac8620771c9b993d029c47febd1ffbe75dfa978aa0795
Instruction Fuzzy Hash: 4D31C471108300AFD300EF54C881AEFBBF8EF99348F14492EF585821A1EB759988CB96

Function 0047DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00455222), ref: 0047DBCE
GetFileAttributesW.KERNEL32(?), ref: 0047DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0047DBEE
FindClose.KERNEL32(00000000), ref: 0047DBFA

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 0d694c7e09d17afecbe423db6a296fda9315c71e712afbfc010a4e8934ba701c
Instruction ID: 09ebdddbf36ce4036177ee0147db7007318ee147bebc28438f175371bef3acbf
Opcode Fuzzy Hash: 0d694c7e09d17afecbe423db6a296fda9315c71e712afbfc010a4e8934ba701c
Instruction Fuzzy Hash: 0DF0A031C209105B92216B78AC4D8EB3BBC9E02334B148B53F83AC21E0EBB45D55869E

Function 0046D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0046D220

Strings

X64, xrefs: 0046D2A8
%.3d, xrefs: 0046D22B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 81253f641a5f5a98bce394ca3813c4d588d245ec96745857b2e480dcbb16bba2
Instruction ID: b52bc46e5dbfe121733fdbbb5c8bc0e645825aa0327b4366d18fcb6b8ed470db
Opcode Fuzzy Hash: 81253f641a5f5a98bce394ca3813c4d588d245ec96745857b2e480dcbb16bba2
Instruction Fuzzy Hash: 1FD012A1E08118E9CB9096D0DC559B9B77CAB09301FA084A3F80691040F72CD50AA76B

Function 00434CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000,?,004428E9), ref: 00434D09
TerminateProcess.KERNEL32(00000000,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000,?,004428E9), ref: 00434D10
ExitProcess.KERNEL32 ref: 00434D22

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 055a9437ebe809f51264ae9737a8e9a537305b218d522fa2cea4adfab8ac1e9c
Instruction ID: e2ce1280af31f4e8cff46ac7f0b083e64033e412971894a31d71b14f0566a782
Opcode Fuzzy Hash: 055a9437ebe809f51264ae9737a8e9a537305b218d522fa2cea4adfab8ac1e9c
Instruction Fuzzy Hash: 6EE0B631000148ABDFA1AF55DD49A993F69EB86785F104029FC159A232CB39ED42CB88

Function 0046D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0046D28C

Strings

X64, xrefs: 0046D2A8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 893398ad9dafa3edd6b738b8f27ec3f3615b9fdb97cc81ed712a2810b442ca0d
Instruction ID: ed0a3ed3a20f4c6a0c6a86f509358568946b49f33e52ce0ab44c71645a3f08ea
Opcode Fuzzy Hash: 893398ad9dafa3edd6b738b8f27ec3f3615b9fdb97cc81ed712a2810b442ca0d
Instruction Fuzzy Hash: FAD0C9B4D0516DEACB90CB90ECC8DD9B77CBB04305F100192F106A2000DB3495498F15

Function 0041BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#N, xrefs: 004607CE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#N
API String ID: 3964851224-2222828212
Opcode ID: ac0a59b12866e696265be126c0bcbb564f85bdc54d298cfaf696829fd8b51091
Instruction ID: 46ac8441f4e408f5f890657d813a83ac492ee8f03bec2790fc94a1389a817f05
Opcode Fuzzy Hash: ac0a59b12866e696265be126c0bcbb564f85bdc54d298cfaf696829fd8b51091
Instruction Fuzzy Hash: 39A26E706083419FC714DF15C480B6BB7E1BF89304F54896EE89A8B352E779EC85CB9A

Function 0049AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0049B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0049B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0049B1D4
_wcslen.LIBCMT ref: 0049B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0049B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0049B236
_wcslen.LIBCMT ref: 0049B332

Part of subcall function 004805A7: GetStdHandle.KERNEL32(000000F6), ref: 004805C6

_wcslen.LIBCMT ref: 0049B34B
_wcslen.LIBCMT ref: 0049B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0049B3B6
GetLastError.KERNEL32(00000000), ref: 0049B407
CloseHandle.KERNEL32(?), ref: 0049B439
CloseHandle.KERNEL32(00000000), ref: 0049B44A
CloseHandle.KERNEL32(00000000), ref: 0049B45C
CloseHandle.KERNEL32(00000000), ref: 0049B46E
CloseHandle.KERNEL32(?), ref: 0049B4E3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 82224c757f7ea9d4aa5fa78723aab2b1a69151092d2096864afd3e52562c1ca9
Instruction ID: 25048c09a4b289408e7811efd2d9f096f84f233f76021500413f10eee37acff8
Opcode Fuzzy Hash: 82224c757f7ea9d4aa5fa78723aab2b1a69151092d2096864afd3e52562c1ca9
Instruction Fuzzy Hash: B2F18F315042009FCB14EF25D985B6FBBE1EF85314F14856EF8855B2A2DB39EC44CB9A

Function 0041D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0041D807
timeGetTime.WINMM ref: 0041DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB28
TranslateMessage.USER32(?), ref: 0041DB7B
DispatchMessageW.USER32(?), ref: 0041DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB9F
Sleep.KERNEL32(0000000A), ref: 0041DBB1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5cdbbfa8e76e98f57142b31cde59ae90204db4ec5eda4dcd21b983d5e70bbd11
Instruction ID: 233eb11a11d6ee92a0007f630f6eca49b9dfb503b303113e6136d5293f7cdb47
Opcode Fuzzy Hash: 5cdbbfa8e76e98f57142b31cde59ae90204db4ec5eda4dcd21b983d5e70bbd11
Instruction Fuzzy Hash: 9C42E6B0A08641EFD724CF25C984BAAB7E4BF45304F14452FE4568B391D7B8E885CB8B

Function 00412CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412D07
RegisterClassExW.USER32(00000030), ref: 00412D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00412D42
InitCommonControlsEx.COMCTL32(?), ref: 00412D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00412D6F
LoadIconW.USER32(000000A9), ref: 00412D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00412D94

Strings

AutoIt v3 GUI, xrefs: 00412D23
TaskbarCreated, xrefs: 00412D37
+, xrefs: 00412CF0
0, xrefs: 00412CE9

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 32c5a8e4bb33209f5f27b13525c99b181c67f46ff3983be29a8df546a1a241be
Instruction ID: 26d889eeab7737b67dd740a4315651944a1799193d87aa314ad0eb52171a6d8d
Opcode Fuzzy Hash: 32c5a8e4bb33209f5f27b13525c99b181c67f46ff3983be29a8df546a1a241be
Instruction Fuzzy Hash: 8621E3B5D41259AFDB40DFA4E889BDDBFB4FB09700F00812AF911AA2A1D7B50540CF98

Function 0045065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0045039A: CreateFileW.KERNEL32(00000000,00000000,?,00450704,?,?,00000000,?,00450704,00000000,0000000C), ref: 004503B7

GetLastError.KERNEL32 ref: 0045076F
__dosmaperr.LIBCMT ref: 00450776
GetFileType.KERNEL32(00000000), ref: 00450782
GetLastError.KERNEL32 ref: 0045078C
__dosmaperr.LIBCMT ref: 00450795
CloseHandle.KERNEL32(00000000), ref: 004507B5
CloseHandle.KERNEL32(?), ref: 004508FF
GetLastError.KERNEL32 ref: 00450931
__dosmaperr.LIBCMT ref: 00450938

Strings

H, xrefs: 004508BD

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 62422ab422a217111100034ea33636ba52f09ab7fcb2cecb204abd2e280dd0aa
Instruction ID: 8e904d2056069bcdf7042deb4b8b28dc10fc79de7f2d6027b8a517a76bdb949f
Opcode Fuzzy Hash: 62422ab422a217111100034ea33636ba52f09ab7fcb2cecb204abd2e280dd0aa
Instruction Fuzzy Hash: 8AA138369001448FDF19AF68D891BAE7BA0AB0A325F14015EFC119F3D2DB799C17CB99

Function 0041344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004E1418,?,00412E7F,?,?,?,00000000), ref: 00413A78

Part of subcall function 00413357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00413379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0041356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0045318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004531CE
RegCloseKey.ADVAPI32(?), ref: 00453210
_wcslen.LIBCMT ref: 00453277
_wcslen.LIBCMT ref: 00453286

Strings

\, xrefs: 0045328C
\Include\, xrefs: 00413527
Include, xrefs: 00453184, 004531C5
Software\AutoIt v3\AutoIt, xrefs: 00413560

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 16a25dc0369a1aa6e1f6df93f3143bc5b33ed0faa7bd15497cd71a9bc1033406
Instruction ID: e858ca5e4124b1a09b43b7b6f1e66bc920bdadb0341b8ba7d42d13a84b332d22
Opcode Fuzzy Hash: 16a25dc0369a1aa6e1f6df93f3143bc5b33ed0faa7bd15497cd71a9bc1033406
Instruction Fuzzy Hash: 66717F714043409EC314DF66DD8299BBBE8BF95744F40443FF94587262EBB89A88CF69

Function 00412B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00412B9D
LoadIconW.USER32(00000063), ref: 00412BB3
LoadIconW.USER32(000000A4), ref: 00412BC5
LoadIconW.USER32(000000A2), ref: 00412BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00412BEF
RegisterClassExW.USER32(?), ref: 00412C40

Part of subcall function 00412CD4: GetSysColorBrush.USER32(0000000F), ref: 00412D07
Part of subcall function 00412CD4: RegisterClassExW.USER32(00000030), ref: 00412D31
Part of subcall function 00412CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00412D42
Part of subcall function 00412CD4: InitCommonControlsEx.COMCTL32(?), ref: 00412D5F
Part of subcall function 00412CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00412D6F
Part of subcall function 00412CD4: LoadIconW.USER32(000000A9), ref: 00412D85
Part of subcall function 00412CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00412D94

Strings

#, xrefs: 00412C16
0, xrefs: 00412C0F
AutoIt v3, xrefs: 00412C2F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5f3defe11aa67fa14354c54093b3ed26a43743fd2890b839e2a8da65b06e3452
Instruction ID: 3b2bc01a16742ff9486beedea7918da6c5c0350a629f755a44a63e5c1f45029d
Opcode Fuzzy Hash: 5f3defe11aa67fa14354c54093b3ed26a43743fd2890b839e2a8da65b06e3452
Instruction Fuzzy Hash: 7D210974E40358ABEB109FA5ECD5AAD7FB4FB48B50F00403AE901AA6B1D7B51540DF98

Function 0041B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041BB4E

Strings

p#N, xrefs: 0041BA72
x#N, xrefs: 00460207
p#N, xrefs: 0046024F
p#N, xrefs: 00460263
p#N, xrefs: 0041BB6B
x#N, xrefs: 00460168
p%N, xrefs: 0041BB32
p%N, xrefs: 0041B8DC

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#N$p#N$p#N$p#N$p%N$p%N$x#N$x#N
API String ID: 1385522511-494311825
Opcode ID: 8a64d12307e4e390af64acb4cfcc454f76e6b9f434aa96bce3073747270745ac
Instruction ID: 506366aa057c60245765c5e74e2f2a7793ee1dc189930ce2cd01e309ae8887d5
Opcode Fuzzy Hash: 8a64d12307e4e390af64acb4cfcc454f76e6b9f434aa96bce3073747270745ac
Instruction Fuzzy Hash: 5532AB70A002099FCB14CF55C994ABBB7B9EF44344F14805BED15AB391D7BCAD82CB9A

Function 00413170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0041316A,?,?), ref: 004131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0041316A,?,?), ref: 00413204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00413227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0041316A,?,?), ref: 00413232
CreatePopupMenu.USER32 ref: 00413246
PostQuitMessage.USER32(00000000), ref: 00413267

Strings

TaskbarCreated, xrefs: 0041322D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4d7a731822c9f1eb19ae1bfe0d2bbd7754fc1f3ff387ec4789a8d7fc6d7e87a2
Instruction ID: 6c59f49d2d4b00ad51ea740e1028840623781f8c34ef55a238766ca6cf6b1d49
Opcode Fuzzy Hash: 4d7a731822c9f1eb19ae1bfe0d2bbd7754fc1f3ff387ec4789a8d7fc6d7e87a2
Instruction Fuzzy Hash: 1F411935380144B6DB146F689D8D7FE3A59E706346F04413BF901892B2CBBD9EC1876E

Function 0041DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 004632B7
D%ND%N, xrefs: 0041E27E
D%N, xrefs: 0041E4B1
D%N, xrefs: 0046302D
D%N, xrefs: 0041E1E0
D%N, xrefs: 00462FDA

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: D%N$D%N$D%N$D%N$D%ND%N$Variable must be of type 'Object'.
API String ID: 0-465020055
Opcode ID: 62ad6ead034a5a7d9f5e09dac759bac245bd67147af77915c5c95c200de51e9e
Instruction ID: df5a792558cdc67f6a9d26343e17f7f96aab77dab69aaa5edb3678b55f59b8b1
Opcode Fuzzy Hash: 62ad6ead034a5a7d9f5e09dac759bac245bd67147af77915c5c95c200de51e9e
Instruction Fuzzy Hash: 24C2A179A00214DFCB14CF5AC880AAEB7B1BF08314F54856BED16AB351D379ED82CB59

Function 0041EC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041FE66

Strings

D%N, xrefs: 0046491E
D%ND%N, xrefs: 0041F05B
D%N, xrefs: 00464972
D%N, xrefs: 0041EFB7
D%N, xrefs: 0041F36A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%N$D%N$D%N$D%N$D%ND%N
API String ID: 1385522511-151714396
Opcode ID: 72de27f1d4e81292cea82ca0e162698e9bf35bc5821866b81af271eff7c48185
Instruction ID: 61c6448e5b8290e586e0019ff94775560ac3dd63477969fe731b29cc6b67c6c4
Opcode Fuzzy Hash: 72de27f1d4e81292cea82ca0e162698e9bf35bc5821866b81af271eff7c48185
Instruction Fuzzy Hash: ACB28D74608341CFCB14CF15D480A6AB7F1BF89304F24496EE9968B351D779EC8ACB9A

Function 00411410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00411459
CoUninitialize.COMBASE ref: 004114F8
UnregisterHotKey.USER32(?), ref: 004116DD
DestroyWindow.USER32(?), ref: 004524B9
FreeLibrary.KERNEL32(?), ref: 0045251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0045254B

Strings

close all, xrefs: 00411454

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fce59c1102903151d5f4b7688968df601bcdfd2800a9227e11e943ff6f888bd3
Instruction ID: 1cdaf9cef9cef249be199b6956ef20ef562f5cfe89942317c1ea88c597efcc65
Opcode Fuzzy Hash: fce59c1102903151d5f4b7688968df601bcdfd2800a9227e11e943ff6f888bd3
Instruction Fuzzy Hash: FAD1CE30701222DFCB19EF15C594A6AF7A0BF06705F1441AFE90A6B362DB38AC56CF49

Function 0047DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0047DE42
gethostname.WS2_32(?,00000100), ref: 0047DE5C
gethostbyname.WS2_32(?), ref: 0047DE69
inet_ntoa.WSOCK32(?), ref: 0047DEAB
_strcat.LIBCMT ref: 0047DEB9
WSACleanup.WSOCK32 ref: 0047DEDE

Strings

0.0.0.0, xrefs: 0047DE87

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 9e2aa5f9d5871fd23f62a04ad981a394069cf056d5d5ba26d9267c2e4c30a421
Instruction ID: 0be74e1a5556144794af25f9413a68f80be1d4a0109a6e9c52a7da8c556888a8
Opcode Fuzzy Hash: 9e2aa5f9d5871fd23f62a04ad981a394069cf056d5d5ba26d9267c2e4c30a421
Instruction Fuzzy Hash: B0113671900115ABDB25BB319C4AEEF7BBCDF55325F00417FF0099A191EF789A818A58

Function 00412C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00412C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00412CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00411CAD,?), ref: 00412CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00411CAD,?), ref: 00412CCF

Strings

edit, xrefs: 00412CAC
AutoIt v3, xrefs: 00412C89, 00412C8E, 00412C8F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2593c6742b82fe79092b42ec5e3f34119de21b5e21aa63ce0c963a6b0e605cb1
Instruction ID: 99052c86cc8cf3efcc0869b0853d3bb92962d71e3989a705adee18fcf6d74e1a
Opcode Fuzzy Hash: 2593c6742b82fe79092b42ec5e3f34119de21b5e21aa63ce0c963a6b0e605cb1
Instruction Fuzzy Hash: A5F03A759802D07AFB700713AC88E772EBDD7C7F50B00002AFD00AA5B1C2750840DAB8

Function 00413B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B83

Strings

Control Panel\Mouse, xrefs: 00413B3E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 089459aa4bae07c699fe4cf93e00379ad960607a0c012dee4c00178955b40e5d
Instruction ID: efe99ebc86e2a43639fa0a45ccb95c55ad0c1e52a376fff70b7430767290cc3a
Opcode Fuzzy Hash: 089459aa4bae07c699fe4cf93e00379ad960607a0c012dee4c00178955b40e5d
Instruction Fuzzy Hash: 34112AB5515208FFDB208FA5DC84AEFBBB8EF05745B10446AA805D7211E235AE809768

Function 0046D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0046D3BF
FreeLibrary.KERNEL32 ref: 0046D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0046D3B9
X64, xrefs: 0046D2A8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f1f536a6f2a6af520e501bc44b8f85bf0ddf890d1d1d9cf08b3cb1e71b5a83b9
Instruction ID: eb3fd32eb4a23ec234452eacef63ff6ae43b5d4cafe3d40ef5ada43a0b1292ec
Opcode Fuzzy Hash: f1f536a6f2a6af520e501bc44b8f85bf0ddf890d1d1d9cf08b3cb1e71b5a83b9
Instruction Fuzzy Hash: C3F055B1F05A208BD7B102115CB4AAA3720AF11702B98C1A7EC02E9308F72CCC818ADF

Function 00413923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004533A2

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00413A04

Strings

Line: , xrefs: 004533EB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3cfa4a6120bdb71dbfc998775039c3311db7cd32a98a744cce4c29e7cc43b322
Instruction ID: 64eb98bd1e8a2c6d8bf1d1448a80795433b550d303183492142cb03938254339
Opcode Fuzzy Hash: 3cfa4a6120bdb71dbfc998775039c3311db7cd32a98a744cce4c29e7cc43b322
Instruction Fuzzy Hash: 6E31E571448304AAD321EF20DC45BEBB7D8AF44719F10092FF999931A1DB789A89C7CE

Function 00412DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00452C8C

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 00412DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00412DC4

Strings

`eM, xrefs: 00452C85
X, xrefs: 00452C5A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eM
API String ID: 779396738-3105956497
Opcode ID: 007bc4fc2ed29e8fa6074b4542330180b982ea32c1c1f0f6e4dc116566c22c30
Instruction ID: 60189ebbf70a092f4650bb241f0bb35d40b29c1db4a319a09a0ab6a936fb48da
Opcode Fuzzy Hash: 007bc4fc2ed29e8fa6074b4542330180b982ea32c1c1f0f6e4dc116566c22c30
Instruction Fuzzy Hash: F221C671A00258ABDB41DF95D8457EE7BF89F49305F00805BE405E7341DBFC55898F69

Function 0042FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00430668

Part of subcall function 004332A4: RaiseException.KERNEL32(?,?,?,0043068A,?,004E1444,?,?,?,?,?,?,0043068A,00411129,004D8738,00411129), ref: 00433304

__CxxThrowException@8.LIBVCRUNTIME ref: 00430685

Strings

Unknown exception, xrefs: 00430692

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 69e14e7717e1c5e950dc7e9d52de0ed288cfc225bbd858c076ed927c420365e1
Instruction ID: 8a9ef89cd59e2d12a381263514402eb75b796a092c879378687861d6288dc8f0
Opcode Fuzzy Hash: 69e14e7717e1c5e950dc7e9d52de0ed288cfc225bbd858c076ed927c420365e1
Instruction Fuzzy Hash: CBF0283090020C73CB00FAA6E856D9F777C5E04314FA0423BB814D16D5EF78DA59C58C

Function 004110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00411BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411BF4
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00411BFC
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411C07
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00411C12
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00411C1A
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00411C22

Part of subcall function 00411B4A: RegisterWindowMessageW.USER32(00000004,?,004112C4), ref: 00411BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0041136A
OleInitialize.OLE32 ref: 00411388
CloseHandle.KERNEL32(00000000,00000000), ref: 004524AB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: f027a6039df0b6a9ccfefb81605198734c514decc3f3f1bf7136d63f389a4569
Instruction ID: b84454b7ec4f0764e400905ca68859637c0bfc71ced587ec1fd0445a8f5a922f
Opcode Fuzzy Hash: f027a6039df0b6a9ccfefb81605198734c514decc3f3f1bf7136d63f389a4569
Instruction Fuzzy Hash: 807181B4991380AF8384EF7AA9C56A93AE4BB89344754853FD41ACB372E7344481CF4D

Function 0047C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00413923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00413A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0047C259
KillTimer.USER32(?,00000001,?,?), ref: 0047C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0047C270

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 19cbec374081e78010e2f5191070ee544f18fa0f3289eaef025c164c73595352
Instruction ID: 07c0a4e9dda9abd1281bfa016e86650e58038c89447dd5e7653cab4097062b5a
Opcode Fuzzy Hash: 19cbec374081e78010e2f5191070ee544f18fa0f3289eaef025c164c73595352
Instruction Fuzzy Hash: 7731B170904344AFEB22CF6498D5BE7BBEC9B06308F0044DED69EA7242C7785A85CB59

Function 004486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,004485CC,?,004D8CC8,0000000C), ref: 00448704
GetLastError.KERNEL32(?,004485CC,?,004D8CC8,0000000C), ref: 0044870E
__dosmaperr.LIBCMT ref: 00448739

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: cce0ef7157022dc22e8da79089ef6260ca41a62ec3158b915f3db859766f3306
Instruction ID: ea73b3928fc640aac435520ba355ecc7594b0d5115cddce301038186b9cb4e05
Opcode Fuzzy Hash: cce0ef7157022dc22e8da79089ef6260ca41a62ec3158b915f3db859766f3306
Instruction Fuzzy Hash: CA016F3360416027FAA16634588577F27594B92778F36011FFC148B2D3DDAC8C81815C

Function 0041DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0041DB7B
DispatchMessageW.USER32(?), ref: 0041DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB9F
Sleep.KERNEL32(0000000A), ref: 0041DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00461CC9

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7dc6f04953acee438d6cfbe4919970260107ddd43f23a896f61b748bab606d7e
Instruction ID: 549212170e5995362c6f35e5c4ec1d5f8b3e2d2477322f221449ac2b3544161b
Opcode Fuzzy Hash: 7dc6f04953acee438d6cfbe4919970260107ddd43f23a896f61b748bab606d7e
Instruction Fuzzy Hash: 6AF054706443419BE770D761CC85FDB77ACEB45310F10452AE61A831D0DB38A4848B1E

Function 00421310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004217F6

Strings

CALL, xrefs: 004217C6

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: a4ad1aecee61130cc163536f8a30ae160d0fab161993f3757f15766bd7db4cf2
Instruction ID: a776517bb2fe5df75cedd954906f4bafdafd1e5466ba507881bd09a3726e9400
Opcode Fuzzy Hash: a4ad1aecee61130cc163536f8a30ae160d0fab161993f3757f15766bd7db4cf2
Instruction Fuzzy Hash: 7422CE706083119FC714DF15E480B2ABBF1BF95308F54896EF8868B361D779E885CB8A

Function 004201E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4282b0ab2aa09d447ef89be6d49a17f806d6ee72f0f536aeab346107083df45c
Instruction ID: 4de982e3faeed224387d436d7402ae6ea5d0e57d0f1fbb3cd50b79ff0a19c1be
Opcode Fuzzy Hash: 4282b0ab2aa09d447ef89be6d49a17f806d6ee72f0f536aeab346107083df45c
Instruction Fuzzy Hash: 0732F430B00614DFCB14DF55D885BAEB7B0AF04314F9445ABE816A73A2E739ED84CB5A

Function 0046D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0046D375

Strings

X64, xrefs: 0046D2A8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 9f28c2ab32197a4aa4f6a19e707c951d35014d7caa80fa7b810ba7fad5108f3a
Instruction ID: 7fbf27e96013c9bd0dab01d335eebd70a8c76fbb4217e2dc799425f00972ee65
Opcode Fuzzy Hash: 9f28c2ab32197a4aa4f6a19e707c951d35014d7caa80fa7b810ba7fad5108f3a
Instruction Fuzzy Hash: 93D0C9B5D05168EACB90CB80ECC8DD9B7BCBB04305F504192F402A2000E77895499B16

Function 00413837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413908

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f9938d2b0b43a721b09cec2748b82e54fc3efe950bbc5c5b80701b8e260995e1
Instruction ID: 056957f1de2ae35761f1b6e384e14098924950fae4bfab9b2b904b30d0ce5a52
Opcode Fuzzy Hash: f9938d2b0b43a721b09cec2748b82e54fc3efe950bbc5c5b80701b8e260995e1
Instruction Fuzzy Hash: 7B31AEB06043009FE320EF65D8847D7BBE8FB49709F00092FF99987251E775AA84CB5A

Function 0042F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0042F661

Part of subcall function 0041D730: GetInputState.USER32 ref: 0041D807

Sleep.KERNEL32(00000000), ref: 0046F2DE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 12c28d855accd201bc2b3bfc37119bf12fa153e1894a38738301fabeec9362f7
Instruction ID: 6b4aa508ff43c5fcbd79eb740f9a3b29f5e869f4e5e1717f3dd2a331738286c1
Opcode Fuzzy Hash: 12c28d855accd201bc2b3bfc37119bf12fa153e1894a38738301fabeec9362f7
Instruction Fuzzy Hash: E8F08271240215AFD350EF65D445B9ABBE5FF45764F00003AE859C72A0EB70A840CF99

Function 00414ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E9C
Part of subcall function 00414E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414EAE
Part of subcall function 00414E90: FreeLibrary.KERNEL32(00000000,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EFD

Part of subcall function 00414E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E62
Part of subcall function 00414E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414E74
Part of subcall function 00414E59: FreeLibrary.KERNEL32(00000000,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E87

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7105be3e625b6789eedda4a0fb4253c0138869e0127055b4b7711cd55418853a
Instruction ID: 900f2c9c90345bbf6c8c6cc6d72cff397e7799e8d9f53e8a554612d68bf07ed7
Opcode Fuzzy Hash: 7105be3e625b6789eedda4a0fb4253c0138869e0127055b4b7711cd55418853a
Instruction Fuzzy Hash: 39112732600305ABCF11BF62DD02FED77A4AF80715F10842FF442AA2C1DE789A86D758

Function 00448402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00448440

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2ba38ccc1f517318ac4ca6c83e4bfe39dc5b3b419bedfe04272d4e55b40f7bb4
Instruction ID: 468fc146550a3b5ad369d51ca4c32303ba9c9804c984b30da46b8717e1514b66
Opcode Fuzzy Hash: 2ba38ccc1f517318ac4ca6c83e4bfe39dc5b3b419bedfe04272d4e55b40f7bb4
Instruction Fuzzy Hash: 9C11187590410AAFDB15DF58E94199F7BF5EF48314F14406AFC08AB312EA31EA11CBA9

Function 00445000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444C7D: RtlAllocateHeap.NTDLL(00000008,00411129,00000000,?,00442E29,00000001,00000364,?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?), ref: 00444CBE

_free.LIBCMT ref: 0044506C

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3207294c87015c732eee2cb8e60bba1371940945a62811add9f7db552efcf610
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: E9014E762047055BF7318F55D881A5AFBEDFB85370F65051EF184932C1EA746805C778

Function 0043E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 4d792ed2e3683cdd0f0f3db6df7e6a3928387465b157af95a35fa66ad32eb828
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2DF0F932912A14D6E6313A679C06B5B37989F66339F50171FF420922D2CB7CD40285AD

Function 00444C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00411129,00000000,?,00442E29,00000001,00000364,?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?), ref: 00444CBE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 00b8a9029b60a4de6008d7f84fe3df22ef27a5458a4a8b3990a9dd5d917f4057
Instruction ID: 7ee51492ea6bf53f0f876b325c3ebd3a3d483ebfaeec00ef9577486e0ae18ae0
Opcode Fuzzy Hash: 00b8a9029b60a4de6008d7f84fe3df22ef27a5458a4a8b3990a9dd5d917f4057
Instruction Fuzzy Hash: CAF0B43164222466FB215F62AC85B5B3788AFC17B1B1E4127BC15AB2D1CA38D80146AC

Function 00443820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f80a1775c4178c73938ae438c7dc3135fc328c179332c78d4bdc76bbfe87b6fe
Instruction ID: 2be2194f537c97b26d387be2b5a0cfa5e511e3eb05b278967ff7e17510578f57
Opcode Fuzzy Hash: f80a1775c4178c73938ae438c7dc3135fc328c179332c78d4bdc76bbfe87b6fe
Instruction Fuzzy Hash: 49E0E53110022496F6213E679C01B9BB6C9AB82FB2F050037BC14966D1DB29ED0185ED

Function 00414F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414F6D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e81d9c48a0a96b64a1673927d00dc671cac0e2df3dc051f73cd1d71df787b82
Instruction ID: d8e467e417625fc9cc4bbec40cd4c4cc744f867c383fa02e1d3cfa8514ed483f
Opcode Fuzzy Hash: 5e81d9c48a0a96b64a1673927d00dc671cac0e2df3dc051f73cd1d71df787b82
Instruction Fuzzy Hash: 0BF0A970105302CFCB348F21D4908A2BBE0EF44329320897FE1EA86720C739988ADF08

Function 004A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004A2A66

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1c12b465f1a897295ca47a6b7ac2352397185d511a2daf52b6b321ac2aa30acf
Instruction ID: 2adda7da943e03969f9efe6a3a539bc8c6ab1c2384465282f44adeaf0f934759
Opcode Fuzzy Hash: 1c12b465f1a897295ca47a6b7ac2352397185d511a2daf52b6b321ac2aa30acf
Instruction Fuzzy Hash: 50E0DF72340116AEC750EA35DC809FE734CEB61399B00443BAC2AC2100DB788986A2A8

Function 004130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041314E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8d4745098d247c865b053b599f1c001060be833388ed5f776e639976ecd23720
Instruction ID: 9644816f2644e973a62ff5c4221b72a75d44b3e4d76f69f2c84862296c4903f2
Opcode Fuzzy Hash: 8d4745098d247c865b053b599f1c001060be833388ed5f776e639976ecd23720
Instruction Fuzzy Hash: DAF0A7709403449FE752DF24DC857D67BBCA70570CF0000F9A54896292D77447C8CF49

Function 00412DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00412DC4

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 07e93df19021665f8703897f14feb267f6a17ad950f393ec9de9c6906b6ee212
Instruction ID: 2739d31557871911e61141ce964b9a973c10960a1f6eb8ab37d91c0c6c9ed021
Opcode Fuzzy Hash: 07e93df19021665f8703897f14feb267f6a17ad950f393ec9de9c6906b6ee212
Instruction Fuzzy Hash: 2FE0C273A042245BCB20A2999C06FEA77EDDFC8794F0500B6FD09E7258DA64ED848698

Function 00412B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00413837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413908

Part of subcall function 0041D730: GetInputState.USER32 ref: 0041D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00412B6B

Part of subcall function 004130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041314E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 448c220d5c012b6285b664cea2ddf5140af79e0b910bfb50521a8966eba76f2c
Instruction ID: 05eef3e647f2d1bdc569f713e98c19156a91d242edd2c6bba7c316fc13daa8e0
Opcode Fuzzy Hash: 448c220d5c012b6285b664cea2ddf5140af79e0b910bfb50521a8966eba76f2c
Instruction Fuzzy Hash: 8AE04F3160424407CA04BF66A8525EDA7999B9535AF40553FF142862A3CF6C89C5435A

Function 0047DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0047DF40

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: f6705d9227ba7567bc0ce9352d06973421fd87983c5233cff2053ced5b742954
Instruction ID: 2fe7420eb5bb318cdf2d4631e4c232d890854f23421bac1ee5dcfe98f4f5da88
Opcode Fuzzy Hash: f6705d9227ba7567bc0ce9352d06973421fd87983c5233cff2053ced5b742954
Instruction Fuzzy Hash: 6ED05EA2A002282BDF60A6759C0DDF73AACC744214F0006B1786DD3152E924ED8486B4

Function 0045039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00450704,?,?,00000000,?,00450704,00000000,0000000C), ref: 004503B7

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 13cd5b35064a8f4c334f2466d3f35b3b711b8666d2090b4f2faec2d5c0f6257b
Instruction ID: 04a77af7f8c2275ecb2ffb4b20581333ca1a498ae7f0c6d44ef901ceab7b802d
Opcode Fuzzy Hash: 13cd5b35064a8f4c334f2466d3f35b3b711b8666d2090b4f2faec2d5c0f6257b
Instruction Fuzzy Hash: 23D06C3214010DBBDF028F84DD46EDA3FAAFB48714F014010BE1856020C736E821AB94

Function 00411CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00411CBC

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a651408382e47b846d8772c1fe62edfba992f306b6b4cddaca8a63fcdc23facc
Instruction ID: c43445fa6cd2b0e5a4a152cc0ed159e05a7acda552d4d864697e47614e2418b9
Opcode Fuzzy Hash: a651408382e47b846d8772c1fe62edfba992f306b6b4cddaca8a63fcdc23facc
Instruction Fuzzy Hash: 20C09B356C0354BFF2144780BDCAF107754A348B00F444011F6095D5F3C7F11810D758

Non-executed Functions

Function 004A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A96C9
SendMessageW.USER32 ref: 004A96F2
GetKeyState.USER32(00000011), ref: 004A978B
GetKeyState.USER32(00000009), ref: 004A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004A97AE
GetKeyState.USER32(00000010), ref: 004A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A97E9
SendMessageW.USER32 ref: 004A9810
SendMessageW.USER32(?,00001030,?,004A7E95), ref: 004A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004A9941
SetCapture.USER32(?), ref: 004A994A
ClientToScreen.USER32(?,?), ref: 004A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004A99D6
ReleaseCapture.USER32 ref: 004A99E1
GetCursorPos.USER32(?), ref: 004A9A19
ScreenToClient.USER32(?,?), ref: 004A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004A9A80
SendMessageW.USER32 ref: 004A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004A9AEB
SendMessageW.USER32 ref: 004A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004A9B4A
GetCursorPos.USER32(?), ref: 004A9B68
ScreenToClient.USER32(?,?), ref: 004A9B75
GetParent.USER32(?), ref: 004A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004A9BFA
SendMessageW.USER32 ref: 004A9C2B
ClientToScreen.USER32(?,?), ref: 004A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004A9CDE
SendMessageW.USER32 ref: 004A9D01
ClientToScreen.USER32(?,?), ref: 004A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004A9D82

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

GetWindowLongW.USER32(?,000000F0), ref: 004A9E05

Strings

F, xrefs: 004A9D07
@GUI_DRAGID, xrefs: 004A997D
p#N, xrefs: 004A9990

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#N
API String ID: 3429851547-2054023450
Opcode ID: 3faf7f7d99aa7be426bc0ffa34db28e195b7383e21ce021d671e6d87b7168031
Instruction ID: 2872065ed9abebc30ef48a79d199d808c24ffbffe602ce20e88ab05f5eb9e2d2
Opcode Fuzzy Hash: 3faf7f7d99aa7be426bc0ffa34db28e195b7383e21ce021d671e6d87b7168031
Instruction Fuzzy Hash: CA42AC74605240AFDB24CF24CC84AABBBE5FF5A314F14062EF699872A1D735EC50CB5A

Function 004A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004A4A7E
IsMenu.USER32(?), ref: 004A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A4B20
GetWindowLongW.USER32(?,000000F0), ref: 004A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004A4C82
wsprintfW.USER32 ref: 004A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004A4D5A

Strings

%d/%02d/%02d, xrefs: 004A4CA8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6d23585f77e9bf7a1ab9b6457d622bd789e1dfe4831b7e7b6fb5b3df4ce861c1
Instruction ID: d4e54a8277d1ec3bdc5d3dffb94d56975de19d66760bfbbcc03ba14aa7d86c4f
Opcode Fuzzy Hash: 6d23585f77e9bf7a1ab9b6457d622bd789e1dfe4831b7e7b6fb5b3df4ce861c1
Instruction Fuzzy Hash: D812D171600214AFEB258F24DC49FAF7BF8AFD6314F10412AF515EA2E1DBB89941CB58

Function 0042F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0042F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0046F474
IsIconic.USER32(00000000), ref: 0046F47D
ShowWindow.USER32(00000000,00000009), ref: 0046F48A
SetForegroundWindow.USER32(00000000), ref: 0046F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046F4AA
GetCurrentThreadId.KERNEL32 ref: 0046F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0046F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0046F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0046F4DE
SetForegroundWindow.USER32(00000000), ref: 0046F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F4F6
keybd_event.USER32(00000012,00000000), ref: 0046F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F50B
keybd_event.USER32(00000012,00000000), ref: 0046F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F519
keybd_event.USER32(00000012,00000000), ref: 0046F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F528
keybd_event.USER32(00000012,00000000), ref: 0046F52D
SetForegroundWindow.USER32(00000000), ref: 0046F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0046F557

Strings

Shell_TrayWnd, xrefs: 0046F46F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2b396dec389d5808e26e17054d6bf84b8e6eb8f18ddd4c07db2f3a4fc30e717a
Instruction ID: 6f0a8fd8c16c7855d3511cfa0acd8bab40b8d326641864457239685d22461f6e
Opcode Fuzzy Hash: 2b396dec389d5808e26e17054d6bf84b8e6eb8f18ddd4c07db2f3a4fc30e717a
Instruction Fuzzy Hash: 77315471B40328BFEB206BB55C8AFBF7E6CEB45B50F100076F601E61D1DAB55D00AA69

Function 00471201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
Part of subcall function 004716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
Part of subcall function 004716C3: GetLastError.KERNEL32 ref: 0047174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00471286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004712A8
CloseHandle.KERNEL32(?), ref: 004712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004712D1
GetProcessWindowStation.USER32 ref: 004712EA
SetProcessWindowStation.USER32(00000000), ref: 004712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00471310

Part of subcall function 004710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004711FC), ref: 004710D4
Part of subcall function 004710BF: CloseHandle.KERNEL32(?,?,004711FC), ref: 004710E9

Strings

winsta0, xrefs: 004712CC
ZM, xrefs: 00471392
, xrefs: 0047125A
default, xrefs: 0047130B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZM
API String ID: 22674027-4222036657
Opcode ID: 69e0ae164bb8968abb69f16b95a6b97d319ef9389a12664555fe694c40802967
Instruction ID: 5ebe5b4610c0680d9d62e6ad8f3315e4581e40c96d5973091170d4397814dd83
Opcode Fuzzy Hash: 69e0ae164bb8968abb69f16b95a6b97d319ef9389a12664555fe694c40802967
Instruction Fuzzy Hash: A481A171900209AFDF219FA8DC49FEF7FB9EF05704F14812AF914A62A0D7388944CB69

Function 00470B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
Part of subcall function 004710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
Part of subcall function 004710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
Part of subcall function 004710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00470BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00470C00
GetLengthSid.ADVAPI32(?), ref: 00470C17
GetAce.ADVAPI32(?,00000000,?), ref: 00470C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00470C6D
GetLengthSid.ADVAPI32(?), ref: 00470C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00470C8C
HeapAlloc.KERNEL32(00000000), ref: 00470C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00470CB4
CopySid.ADVAPI32(00000000), ref: 00470CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00470CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00470D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00470D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D45
HeapFree.KERNEL32(00000000), ref: 00470D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D55
HeapFree.KERNEL32(00000000), ref: 00470D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D65
HeapFree.KERNEL32(00000000), ref: 00470D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00470D78
HeapFree.KERNEL32(00000000), ref: 00470D7F

Part of subcall function 00471193: GetProcessHeap.KERNEL32(00000008,00470BB1,?,00000000,?,00470BB1,?), ref: 004711A1
Part of subcall function 00471193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470BB1,?), ref: 004711A8
Part of subcall function 00471193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00470BB1,?), ref: 004711B7

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1b8153b32cc06ffeacdc767c23e31243b0441e50c6438e83969ba2ff51be4d39
Instruction ID: f75398bc8c1c949a0eff6f3967684da32f54ae3d3bbeb5faa71af6c81c44da00
Opcode Fuzzy Hash: 1b8153b32cc06ffeacdc767c23e31243b0441e50c6438e83969ba2ff51be4d39
Instruction Fuzzy Hash: 5A714C7190120AEFDF209FE4DC84BEFBBB8AF05304F148526E919A6291D779A905CF64

Function 0048EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004ACC08), ref: 0048EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0048EB37
GetClipboardData.USER32(0000000D), ref: 0048EB43
CloseClipboard.USER32 ref: 0048EB4F
GlobalLock.KERNEL32(00000000), ref: 0048EB87
CloseClipboard.USER32 ref: 0048EB91
GlobalUnlock.KERNEL32(00000000), ref: 0048EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0048EBC9
GetClipboardData.USER32(00000001), ref: 0048EBD1
GlobalLock.KERNEL32(00000000), ref: 0048EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0048EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0048EC38
GetClipboardData.USER32(0000000F), ref: 0048EC44
GlobalLock.KERNEL32(00000000), ref: 0048EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0048EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0048EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0048ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0048ECF3
CountClipboardFormats.USER32 ref: 0048ED14
CloseClipboard.USER32 ref: 0048ED59

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 6b4e96f6a69040cf0d6115442954a480089e9f58b116ef10b6fea427e8af3e67
Instruction ID: 9306f0b11657eb8d9a23f21ffc00f9e261983ffbde9b1bd8d88eeb74486a11bb
Opcode Fuzzy Hash: 6b4e96f6a69040cf0d6115442954a480089e9f58b116ef10b6fea427e8af3e67
Instruction Fuzzy Hash: FC61F5352043029FD300EF26C884F6E7BE4AF85714F04496EF456872A2DB39ED45CB6A

Function 0048698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004869BE
FindClose.KERNEL32(00000000), ref: 00486A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00486A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00486A75

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00486AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00486ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00486B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00486B32
%03d, xrefs: 00486DA2
%02d, xrefs: 00486C00, 00486C0A, 00486C5A, 00486CAA, 00486CFA, 00486D4A
%4d, xrefs: 00486BB1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d50b361ecc7459d6a310d35c16ad13c7e183dbb0e16df1676b4f462f063730cb
Instruction ID: 952399157b43fb10bf334b2d9b7ad416bf02b22bcdc3439a9c8d05a9a9766f16
Opcode Fuzzy Hash: d50b361ecc7459d6a310d35c16ad13c7e183dbb0e16df1676b4f462f063730cb
Instruction Fuzzy Hash: BFD15371508300AFC714EBA5D891EAFB7ECAF88708F44491EF589C7291EB38DA44C766

Function 00489642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00489663
GetFileAttributesW.KERNEL32(?), ref: 004896A1
SetFileAttributesW.KERNEL32(?,?), ref: 004896BB
FindNextFileW.KERNEL32(00000000,?), ref: 004896D3
FindClose.KERNEL32(00000000), ref: 004896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0048974A
SetCurrentDirectoryW.KERNEL32(004D6B7C), ref: 00489768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00489772
FindClose.KERNEL32(00000000), ref: 0048977F
FindClose.KERNEL32(00000000), ref: 0048978F

Strings

*.*, xrefs: 004896F5

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b37c28f8aa6febed70524a5c74c0ac3342af179ceccea51debf3ec7e05f1a97a
Instruction ID: 76abdfb5c3706c9f0603e01a83b8f067962f123f56fa04c96d695ab40ba92a32
Opcode Fuzzy Hash: b37c28f8aa6febed70524a5c74c0ac3342af179ceccea51debf3ec7e05f1a97a
Instruction Fuzzy Hash: 9431B432500619AADB10BFB4DC48AEF77AC9F49320F1845A7E805E2290EB38DD408B5C

Function 0048979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 004897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00489819
FindClose.KERNEL32(00000000), ref: 00489824
FindFirstFileW.KERNEL32(*.*,?), ref: 00489840
SetCurrentDirectoryW.KERNEL32(?), ref: 00489890
SetCurrentDirectoryW.KERNEL32(004D6B7C), ref: 004898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004898B8
FindClose.KERNEL32(00000000), ref: 004898C5
FindClose.KERNEL32(00000000), ref: 004898D5

Part of subcall function 0047DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0047DB00

Strings

*.*, xrefs: 0048983B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 582084bc44084f2350d59844ef028be15d9055e5863383b6f64733860eee3faf
Instruction ID: 2526aa5c16bd58def1cde4d971fda47a61c40baeea5adc0bf30615f079905b43
Opcode Fuzzy Hash: 582084bc44084f2350d59844ef028be15d9055e5863383b6f64733860eee3faf
Instruction Fuzzy Hash: 5A31A532500A1A6EDF10BFB5DC48AEF77AC9F06324F1845A7E814A2290DB38DD458B6C

Function 0047D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

FindFirstFileW.KERNEL32(?,?), ref: 0047D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0047D1DD
MoveFileW.KERNEL32(?,?), ref: 0047D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0047D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047D237

Part of subcall function 0047D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0047D21C,?,?), ref: 0047D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0047D253
FindClose.KERNEL32(00000000), ref: 0047D264

Strings

\*.*, xrefs: 0047D0CD, 0047D0D6, 0047D0EB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 52b6dc8331a7ce922533ba6c519eb5c51158a04816a5c1bfc2b72679fcad07fe
Instruction ID: c9bd246417695e58f40d9c310ba86c615feddd4b560745cbcdddbfd4be17de3e
Opcode Fuzzy Hash: 52b6dc8331a7ce922533ba6c519eb5c51158a04816a5c1bfc2b72679fcad07fe
Instruction Fuzzy Hash: 50619271C1110D9FCF05EBE1C9929EDB775AF15304F2481AAE40677192EB386F4ACB68

Function 0048ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0048ED91
EmptyClipboard.USER32 ref: 0048ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0048EDAC
CloseClipboard.USER32 ref: 0048EEA3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cd68f13ec782993252d30324e1fb8098c14ce5da59e5cb62fc8a2c464e88e98a
Instruction ID: f6a1ee12a9bf1f9d6cd9cfd059f083aaf3a7f76c7cfd54588a7e6f3cede820cf
Opcode Fuzzy Hash: cd68f13ec782993252d30324e1fb8098c14ce5da59e5cb62fc8a2c464e88e98a
Instruction Fuzzy Hash: 4141A235604611DFD310DF16D888B6ABBE1EF45318F14C4AAE4198B7A2C739EC42CB98

Function 0047E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
Part of subcall function 004716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
Part of subcall function 004716C3: GetLastError.KERNEL32 ref: 0047174A

ExitWindowsEx.USER32(?,00000000), ref: 0047E932

Strings

, xrefs: 0047E920
SeShutdownPrivilege, xrefs: 0047E902
, xrefs: 0047E95C
@, xrefs: 0047E925

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c0bb1e47f55966020c3eb9b5c09e81f143c2da03bb055d585ed43775d9d982f9
Instruction ID: 4121d37f4915808f1e42dbe2fa5f43559ff917019860fa529bbb4499c1d22683
Opcode Fuzzy Hash: c0bb1e47f55966020c3eb9b5c09e81f143c2da03bb055d585ed43775d9d982f9
Instruction Fuzzy Hash: B4012BF3610210ABEB5426B69C85FFB765C9708744F158667FA06F21D1D6685C40829C

Function 00491204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00491276
WSAGetLastError.WSOCK32 ref: 00491283
bind.WSOCK32(00000000,?,00000010), ref: 004912BA
WSAGetLastError.WSOCK32 ref: 004912C5
closesocket.WSOCK32(00000000), ref: 004912F4
listen.WSOCK32(00000000,00000005), ref: 00491303
WSAGetLastError.WSOCK32 ref: 0049130D
closesocket.WSOCK32(00000000), ref: 0049133C

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f2901c0e9320d57d6022956eb0eba1e4c89fefc9eb384b579d7bac31061d82de
Instruction ID: 36fb13bde51371ff65b9a3fbae29feb4be3297c3ac66fa839b86cba43553d432
Opcode Fuzzy Hash: f2901c0e9320d57d6022956eb0eba1e4c89fefc9eb384b579d7bac31061d82de
Instruction Fuzzy Hash: A64162316001019FDB10EF64C484B6ABBE5BF46318F1881ADD8569F3E6C779ED81CBA5

Function 0044B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044B9D4
_free.LIBCMT ref: 0044B9F8
_free.LIBCMT ref: 0044BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004B3700), ref: 0044BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0044BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004E1270,000000FF,?,0000003F,00000000,?), ref: 0044BC36
_free.LIBCMT ref: 0044BD4B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 947d3d152d4689eb1bfec6cf6bdd486f82cd9c713d1e7efe0a6840d044974208
Instruction ID: e9597cbb70ea9c676cba07968464c17cb60811c319e0a9a9fe6d1cced2f7fdb4
Opcode Fuzzy Hash: 947d3d152d4689eb1bfec6cf6bdd486f82cd9c713d1e7efe0a6840d044974208
Instruction Fuzzy Hash: A5C11971A042459FEB209F6A8C81AAA7BB8EF45314F1441AFE990EB352D738DD4187D8

Function 0047D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

FindFirstFileW.KERNEL32(?,?), ref: 0047D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0047D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047D481
FindClose.KERNEL32(00000000), ref: 0047D498
FindClose.KERNEL32(00000000), ref: 0047D4A1

Strings

\*.*, xrefs: 0047D3F2

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e8453d006fc1e7dfa993f2c16fbef677be51cae7b30a75245200ed417a9ecffb
Instruction ID: 881502f683e4a739534d3d2421454e492770a406ec2f3b67fa0c6386e1b0b148
Opcode Fuzzy Hash: e8453d006fc1e7dfa993f2c16fbef677be51cae7b30a75245200ed417a9ecffb
Instruction Fuzzy Hash: 2C31B2714183449BC300EF61C8918EF77E8AE91314F448E1FF4D552191EB38AA49C76B

Function 0044E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0044E645

Strings

1#IND, xrefs: 0044F83D
1#QNAN, xrefs: 0044F84B
1#SNAN, xrefs: 0044F844
1#INF, xrefs: 0044F852

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 55d8a0112e7536801a80e2d2face1bd2a77649d72c9dacf9f5349b32c2276289
Instruction ID: 7f2a59f8be7e269ccb82b669bf2442bb820b17bf4250837d9df762e4fa5cdb0f
Opcode Fuzzy Hash: 55d8a0112e7536801a80e2d2face1bd2a77649d72c9dacf9f5349b32c2276289
Instruction Fuzzy Hash: F4C24872E046288FEB25CE299D407EAB7B5FB48305F1441EBD80DE7241E778AE858F45

Function 0048648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004864DC
CoInitialize.OLE32(00000000), ref: 00486639
CoCreateInstance.OLE32(004AFCF8,00000000,00000001,004AFB68,?), ref: 00486650
CoUninitialize.OLE32 ref: 004868D4

Strings

.lnk, xrefs: 004864BA, 00486524, 004865E0

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 5746d0e128abf1746091c8fc35c349ecb1e70696260edf34eeb56ce358158970
Instruction ID: bd6775c1ad53ba9417aa207dd946af9fa3ab70a9163365b3164009be91aae2f7
Opcode Fuzzy Hash: 5746d0e128abf1746091c8fc35c349ecb1e70696260edf34eeb56ce358158970
Instruction Fuzzy Hash: 5ED15B71508301AFC304EF25C891AABB7E8FF98708F10496EF5958B291EB34ED45CB96

Function 004922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004922E8

Part of subcall function 0048E4EC: GetWindowRect.USER32(?,?), ref: 0048E504

GetDesktopWindow.USER32 ref: 00492312
GetWindowRect.USER32(00000000), ref: 00492319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00492355
GetCursorPos.USER32(?), ref: 00492381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004923DF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a8a07764a6c0faaf334571e613809a976c782fb92ab1b4b6bfa29b7e8829307b
Instruction ID: bda8f7bd6a7f8d7156a8f373fab8ae418e43ecd8c114459a1b6a3ef742074e25
Opcode Fuzzy Hash: a8a07764a6c0faaf334571e613809a976c782fb92ab1b4b6bfa29b7e8829307b
Instruction Fuzzy Hash: C931E672505315AFCB20DF25C845B5B7BE9FF89314F00092EF98597181DB78E908CB95

Function 00489B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00489B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00489C8B

Part of subcall function 00483874: GetInputState.USER32 ref: 004838CB
Part of subcall function 00483874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00483966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00489BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00489C75

Strings

*.*, xrefs: 00489B5D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 205a781e5336a773ee82f868c49ac03131397ed52d091963f8dde5e3f5b8f9b8
Instruction ID: 49a0db4858c119d05f826541f64bd1c1de7c45d6420c29d4adb679eba4af7771
Opcode Fuzzy Hash: 205a781e5336a773ee82f868c49ac03131397ed52d091963f8dde5e3f5b8f9b8
Instruction Fuzzy Hash: 2941B3719006099FDF15EF64C889AEE7BF4FF05310F24445BE805A2291EB39AE84CF68

Function 0042997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00429A4E
GetSysColor.USER32(0000000F), ref: 00429B23
SetBkColor.GDI32(?,00000000), ref: 00429B36

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4ef140965a7e9bddf5908c3ae7c646a6ee2ee3860e67d70e09dad162ffcfb65a
Instruction ID: f33e99569ca7314aa580f14835c56f0e6487d477b6a2df7b9c28cc2b4582c339
Opcode Fuzzy Hash: 4ef140965a7e9bddf5908c3ae7c646a6ee2ee3860e67d70e09dad162ffcfb65a
Instruction Fuzzy Hash: 45A12D703085A0BEE724AA2DAC98D7B295DEF43358F54411FF402C6792DA2D9D42C27F

Function 00491806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
Part of subcall function 0049304E: _wcslen.LIBCMT ref: 0049309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0049185D
WSAGetLastError.WSOCK32 ref: 00491884
bind.WSOCK32(00000000,?,00000010), ref: 004918DB
WSAGetLastError.WSOCK32 ref: 004918E6
closesocket.WSOCK32(00000000), ref: 00491915

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7e95823b984781d212d0e4ecb6d37d4c6716ace0ec562b3ecb0f5ad93d868c32
Instruction ID: 61dfaf6aaed178368c8f86e4d8af9b38a4c53dc191049b18f6dc8a06e67cc523
Opcode Fuzzy Hash: 7e95823b984781d212d0e4ecb6d37d4c6716ace0ec562b3ecb0f5ad93d868c32
Instruction Fuzzy Hash: 6251B171A00210AFDB10EF24C886F6A7BE5AB45718F04809DF9155F3D3C779ED428BA5

Function 004A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004A1CC0
IsWindowEnabled.USER32 ref: 004A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004A1CDB
IsIconic.USER32 ref: 004A1CE9
IsZoomed.USER32 ref: 004A1CF7

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 83be3fe16b0eada9d84b5d24131c50c0d88bf7c3195c116de9dfd601ca50eaf8
Instruction ID: 1b582f708d5333429c38d7c272864bafcb15e379d6e87731d89e9730ec1cd216
Opcode Fuzzy Hash: 83be3fe16b0eada9d84b5d24131c50c0d88bf7c3195c116de9dfd601ca50eaf8
Instruction Fuzzy Hash: A52197317406115FE7208F1AD884B677BE5EFA6325F19806EE846CB361C779EC42CB98

Function 00418060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0041813C
VUUU, xrefs: 004183E8
VUUU, xrefs: 004183FA
VUUU, xrefs: 0041843C
VUUU, xrefs: 00455DF0

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a47f74887cdec0ca62775d863d3a2791c6fad9aba549954cb7e236fff54248cf
Instruction ID: dcac04e15f16dcd5f4ad99a31405ad59be15cef23d9735500cacf7078ae58de4
Opcode Fuzzy Hash: a47f74887cdec0ca62775d863d3a2791c6fad9aba549954cb7e236fff54248cf
Instruction Fuzzy Hash: 00A28C70A0061ACBDF24CF58C9507EEB7B1AB54311F25819BEC15A7382EB389DC5CB99

Function 00478298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004782AA

Strings

tbM, xrefs: 004784F4
|, xrefs: 004782DA
(, xrefs: 004782F0

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbM$|
API String ID: 1659193697-2959561728
Opcode ID: a79838a4e8080e57b76a01666f854b285c0cc2521bef5fe824f43a205b656022
Instruction ID: 26f52a6da03ec17fb982b3d23b80084894bb90065f382fbebe4ab9c652514ebc
Opcode Fuzzy Hash: a79838a4e8080e57b76a01666f854b285c0cc2521bef5fe824f43a205b656022
Instruction Fuzzy Hash: 2C324674A007059FCB28CF19C484AAAB7F0FF48710B15C56EE89ADB7A1EB74E941CB44

Function 0047AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0047AAAC
SetKeyboardState.USER32(00000080), ref: 0047AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0047AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0047AB88

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e88283fa3b960101e8e1c967dc627a4e1c5f4b4010cdb7a1c330d9be1e59f62
Instruction ID: d047cb36b58012327e03cf793e2875beafb4bef4af9709bef7950b2e43ec58b9
Opcode Fuzzy Hash: 1e88283fa3b960101e8e1c967dc627a4e1c5f4b4010cdb7a1c330d9be1e59f62
Instruction Fuzzy Hash: E831FB30A40204AEFB25CA65C805BFF7BA6ABC5310F04C21BF289552D1D37CA965C75B

Function 0048CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0048CE89
GetLastError.KERNEL32(?,00000000), ref: 0048CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0048CEFE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a9c051143c1e3b11bd2e1e4940b97909d37930246d3b9fa34ba0518a3cd32c00
Instruction ID: 7f7814d51e181b2f6b9beb3ab883d1bc04334b89ad5f6d1789026b9788c9685f
Opcode Fuzzy Hash: a9c051143c1e3b11bd2e1e4940b97909d37930246d3b9fa34ba0518a3cd32c00
Instruction Fuzzy Hash: 752192719003059BE730EF55D984BAB77F8EB51354F10482FE64692291D778ED058B68

Function 00485C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00485CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00485D17
FindClose.KERNEL32(?), ref: 00485D5F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e36e0a4e1c31961f04f98b179e6bd91a7871438ad3ed13ed8da20a99b71f134c
Instruction ID: 17d6ded8bbdfeb055e7ab827c6b7c8d2470d14081125e9846a0701b152a51fdc
Opcode Fuzzy Hash: e36e0a4e1c31961f04f98b179e6bd91a7871438ad3ed13ed8da20a99b71f134c
Instruction Fuzzy Hash: 6251AA346046019FC714DF28C494A9AB7E4FF49318F14895EE95A8B3A1CB38EC45CF95

Function 00442622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0044271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00442724
UnhandledExceptionFilter.KERNEL32(?), ref: 00442731

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e6634ef1f1cf553940349ee3d284e99854a98cefd423b437a59bbc8382b7cf6e
Instruction ID: f0a91f49a73f4d2670ce6a8201a05471ec36f34d493f05d08f924ae8020d6c70
Opcode Fuzzy Hash: e6634ef1f1cf553940349ee3d284e99854a98cefd423b437a59bbc8382b7cf6e
Instruction Fuzzy Hash: F431D67490121C9BCB21DF65DD897DDBBB8AF08310F5042EAE80CA7260E7749F818F48

Function 004851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00485238
SetErrorMode.KERNEL32(00000000), ref: 004852A1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cbfd20ac1b9916423c1bd9f7b370c35ce454e305f9f13a635842239b7a4dcb63
Instruction ID: b46b3ddad400828f7b0c3bd4e6fbbc9f4f51c2a9c9057384e1868e1abc44f79b
Opcode Fuzzy Hash: cbfd20ac1b9916423c1bd9f7b370c35ce454e305f9f13a635842239b7a4dcb63
Instruction Fuzzy Hash: 1F314F75A00518DFDB00EF55D8C4EADBBB4FF49318F04849AE8059B392DB35E856CB54

Function 004716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0042FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00430668
Part of subcall function 0042FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00430685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
GetLastError.KERNEL32 ref: 0047174A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a83175bd8f852969c531c4eb85051b7eb762feea6f8aa3a3563fbb828348b25f
Instruction ID: 18fc88071497311a0cba97fe41d400e6cfb07f12cfe12254bab8d2776a0ad4d1
Opcode Fuzzy Hash: a83175bd8f852969c531c4eb85051b7eb762feea6f8aa3a3563fbb828348b25f
Instruction Fuzzy Hash: E811C1B2514304AFD7189F54ECC6DABBBBDEB04714B60C52EE05693251EB74BC418B68

Function 0047D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0047D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047D650

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a6742f7660be72c51bd600da9fc50fb6fdfdd852e52e12c84e56d818b71834be
Instruction ID: b5a699aacca66e5602bb2e1963d6860e8a37be59f87fb75179525ac0aaec123b
Opcode Fuzzy Hash: a6742f7660be72c51bd600da9fc50fb6fdfdd852e52e12c84e56d818b71834be
Instruction Fuzzy Hash: 24117C71E01228BBDB108F949C84FAFBFBCEB45B50F108122F908E7290D6704A018BA5

Function 00471663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0047168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004716A1
FreeSid.ADVAPI32(?), ref: 004716B1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a259ebb3a9bd4bc8146d36e062b05acaa742873583dce6b6539371f138a4ed5c
Instruction ID: 0e2bef568d4ae50979519424c85f10ed086d26084bc358bcbfc30b265d87147d
Opcode Fuzzy Hash: a259ebb3a9bd4bc8146d36e062b05acaa742873583dce6b6539371f138a4ed5c
Instruction Fuzzy Hash: FAF0F47195030DFBDB00DFE49C89EAEBBBCEB09604F508565E501E2191E774AA448A54

Function 0044C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0044C36C

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: c0ed885b057a154dd4d4a007440493614cf3c8344ddb9dce7dacc7a261998021
Instruction ID: 8369cdf84fbea0b1922c9144b817f9f71b20c85c1454a9d6c02d077b6d318009
Opcode Fuzzy Hash: c0ed885b057a154dd4d4a007440493614cf3c8344ddb9dce7dacc7a261998021
Instruction Fuzzy Hash: 164149729012196FDB209FB9CC88EBB77B9EB84314F1442AEF905C7280E6749D41CB58

Function 0043CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 93108dced47ae960ecb6207f19bdd7daf14b010d4f522f71b178ba6952163ed0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 25021D72E002199BDF14CFA9C9C06AEFBF1EF48314F25916AD819F7384D735AA418B94

Function 0041CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00460C40
p#N, xrefs: 0041CF7F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#N
API String ID: 0-3233274810
Opcode ID: 395af5b747642630043a4e3b4bc1f8780e258c9450a40213ce4a575d4ed61306
Instruction ID: eaf1ae8991d39c9fd18ce6b6a1c7b5a3536a6b9310fb3bb73bb85a732cb4285a
Opcode Fuzzy Hash: 395af5b747642630043a4e3b4bc1f8780e258c9450a40213ce4a575d4ed61306
Instruction Fuzzy Hash: 77328E70940218DBDF14DF90D981AEEB7B5FF04308F14405BE806AB392E779AD86CB5A

Function 004868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00486918
FindClose.KERNEL32(00000000), ref: 00486961

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 59ebd294e15c8fe6538ac749b4ab6692e04ffde2667a46df7be83a552f42afa5
Instruction ID: 9d71941b85c6fcdba99199f5a1609a0b72cbea65a5800d56cdd19460d75f049e
Opcode Fuzzy Hash: 59ebd294e15c8fe6538ac749b4ab6692e04ffde2667a46df7be83a552f42afa5
Instruction Fuzzy Hash: 621181716042009FD710DF29D8C4A1ABBE5EF85328F15C6AEE4698F7A2C734EC45CB95

Function 004837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00494891,?,?,00000035,?), ref: 004837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00494891,?,?,00000035,?), ref: 004837F4

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1a44e45063fc424b86853aa1404ef490567e98cbb2e72d99a7bb7dc316c0e784
Instruction ID: 9eeae545dbadd5be335424df86c9b4d180ad6a20f6f13cbd3374a379a3265c39
Opcode Fuzzy Hash: 1a44e45063fc424b86853aa1404ef490567e98cbb2e72d99a7bb7dc316c0e784
Instruction Fuzzy Hash: 8FF0EC71A042142AD75027664C4DFDB7A9DDFC5B65F000176F505D2291D9609D44C7F8

Function 0047B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0047B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0047B270

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 34c6daeecc7c90afa9245fa8cd82a39deb64df1fd9a568f54d6be64025163a19
Instruction ID: 27d8c012cca1ca3818a3cc571a97bf8d54cc97717b1acda51ea59f53da98aea9
Opcode Fuzzy Hash: 34c6daeecc7c90afa9245fa8cd82a39deb64df1fd9a568f54d6be64025163a19
Instruction Fuzzy Hash: 9AF01D7580424EABDB059FA0C805BFE7FB4FF09309F00805AF955A5192C37986119F98

Function 004710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004711FC), ref: 004710D4
CloseHandle.KERNEL32(?,?,004711FC), ref: 004710E9

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3579c7ee369897dfffb7d2e9e20a1c2c4de697aa2a978c41f85ad1dd907dbd89
Instruction ID: 99b901fce3db8f87312295d95c22310121ec12dc42d2ff0e07c4f11101fcbfc5
Opcode Fuzzy Hash: 3579c7ee369897dfffb7d2e9e20a1c2c4de697aa2a978c41f85ad1dd907dbd89
Instruction Fuzzy Hash: D3E04F32018610AEE7252B61FC05EB37BA9EF04310B10883EF4A6804B1DB626C90DB58

Function 0044676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00446766,?,?,00000008,?,?,0044FEFE,00000000), ref: 00446998

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7e0699f6885c9e0e35e63e4f06ff1928b36fabb1e40a5a5284bea70460529ed5
Instruction ID: d393cb3b16803b487488d236cd6f9d7c94727054d244dfda872452f66f586e50
Opcode Fuzzy Hash: 7e0699f6885c9e0e35e63e4f06ff1928b36fabb1e40a5a5284bea70460529ed5
Instruction Fuzzy Hash: DDB16E71610608DFE715CF28C486B657BE0FF46364F268659E899CF3A2C339D982CB46

Function 0042B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0046851F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3f88c311f12813d9ae2998550c1f4482843a08754cbfa491248a302a7f4aef57
Instruction ID: 76232ba2bdb4dd4a55621ba40e147716257af1688b8bdec1df18873947bd21c7
Opcode Fuzzy Hash: 3f88c311f12813d9ae2998550c1f4482843a08754cbfa491248a302a7f4aef57
Instruction Fuzzy Hash: 07126F71A002299BCB14DF58D8806EEB7B5FF48310F54819BE849EB355EB389E81CF95

Function 0048EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0048EABD

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7212ef0b92fc8f380ed5a3efaf03d38414c787674acb62c3cddc732ad52ca21e
Instruction ID: 1781a261ba94e53d80adcaf363e293251e87bf873f1f1829f6dab33583834531
Opcode Fuzzy Hash: 7212ef0b92fc8f380ed5a3efaf03d38414c787674acb62c3cddc732ad52ca21e
Instruction Fuzzy Hash: 1BE01A31200204AFC710EF5AD844E9ABBE9AF98764F00842BFC49C7391DA74E8818B95

Function 004309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004303EE), ref: 004309DA

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a069eac97da2023fc5ff85f1cb8ec43ecea8412b9b591cdbb40bca010c4db709
Instruction ID: 991ab77617efdda4c5f72285da7c0ec40fb0d159deb7bbb2cff1c3768c8cb150
Opcode Fuzzy Hash: a069eac97da2023fc5ff85f1cb8ec43ecea8412b9b591cdbb40bca010c4db709
Instruction Fuzzy Hash:

Function 0043781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043798B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 110126e8969a0e9dd53842a00397caa192adff14845f88466a9de7126b6a3ff4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DF5134E160C7456AEB3C6629449A7BF67859F0E344F183A0FE8C287382C61DDE02D35E

Function 00482046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&N, xrefs: 00482053

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: 0&N
API String ID: 0-2307969841
Opcode ID: 07183efe61759c0c6122caa06fbb8e47cfae173e81ac29cc90237ca9693c9288
Instruction ID: 5a794de70105e9bdb6ded61bf82c1de75a8d5c1544ed8ab870e91f3ec8027bfd
Opcode Fuzzy Hash: 07183efe61759c0c6122caa06fbb8e47cfae173e81ac29cc90237ca9693c9288
Instruction Fuzzy Hash: 8421EB326206118BDB28CF79C91367E73E9A754310F148A2EE4A7C73D1DEB9A904C784

Function 00446DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0968b6ffe64bf806d03d9ab60a54bc427789297fd9135d47466a2d5038968240
Instruction ID: 881136962dc75cc9bf3f34b6bc7bcc0ca3eb2d6e1765fa22485b7ef371f1c26b
Opcode Fuzzy Hash: 0968b6ffe64bf806d03d9ab60a54bc427789297fd9135d47466a2d5038968240
Instruction Fuzzy Hash: 8F323521D29F014EEB239635CD22336A64DAFB73C5F15D737E81AB5EA5EB68C4834104

Function 0042CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ca3e73ff07188aab83d9a94ca336fb4c74d74a551f28ffe4fe9bce99ff69fe
Instruction ID: c51d29c05a9ec3443fe24ba45c0e2700ca34eacb9bb1c584056eba32015b3e1f
Opcode Fuzzy Hash: 77ca3e73ff07188aab83d9a94ca336fb4c74d74a551f28ffe4fe9bce99ff69fe
Instruction Fuzzy Hash: 2A32E131B001558BDF28CE69D4D467E7BA1AF45300F68816BD4DA9B391F23C9E82DB4B

Function 00417920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221c3254e1e8c50b3920e8fad7a381129bdb79bb07a7841423b8ceb78e48a7ed
Instruction ID: e79187e9489bcf6a0213a319a3d41cb664b3c4e337d71a61c055d85dfabdbe0e
Opcode Fuzzy Hash: 221c3254e1e8c50b3920e8fad7a381129bdb79bb07a7841423b8ceb78e48a7ed
Instruction Fuzzy Hash: 7222F1B0A04609DFDF04CF65C991AFEB3B5FF48304F10412AE816A7291EB39AD55CB59

Function 004191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0255f183982e3e1a68d8094985b1c434ff3c8369bc01e8ebf74c6ca25fe853b1
Instruction ID: c4ea14548b8f248bac80e692cb8833e04a3c248062f6c23e961347b75e32532f
Opcode Fuzzy Hash: 0255f183982e3e1a68d8094985b1c434ff3c8369bc01e8ebf74c6ca25fe853b1
Instruction Fuzzy Hash: 0102F6B0E00109EBCB05DF65D981AAEB7B1FF44304F50816AE816DB391E739EE55CB89

Function 00437A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665f1f512deed0926ffc35e1f86ea16cee1f24a7845e9de2f44113ac22bf4de6
Instruction ID: 0ab1eda3c4a2fc816106b00c2e7bdc9c09070e2be8bb8df06286ae26a1288aaa
Opcode Fuzzy Hash: 665f1f512deed0926ffc35e1f86ea16cee1f24a7845e9de2f44113ac22bf4de6
Instruction Fuzzy Hash: AC613AE120874956DA34AA2848957BFB3A4DF4D718F14391FF8C2DB382D61DAE42C35E

Function 00437CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6a13024682c61d09378aabdfe7cc2aa841bb2a405dfad74ccdf5efd8af8506
Instruction ID: b2a439f55ce16124dc78880318638c415f119d223588e3b7d968c0c4349d371b
Opcode Fuzzy Hash: 9e6a13024682c61d09378aabdfe7cc2aa841bb2a405dfad74ccdf5efd8af8506
Instruction Fuzzy Hash: E1616BF120870966DE385A289892BBF63949F4D744F20395FF9C3DB381D61E9D42825E

Function 00492ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00492B30
DeleteObject.GDI32(00000000), ref: 00492B43
DestroyWindow.USER32 ref: 00492B52
GetDesktopWindow.USER32 ref: 00492B6D
GetWindowRect.USER32(00000000), ref: 00492B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00492CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00492CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492CF8
GetClientRect.USER32(00000000,?), ref: 00492D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00492D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D80
GlobalLock.KERNEL32(00000000), ref: 00492D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D98
GlobalUnlock.KERNEL32(00000000), ref: 00492DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492DA8
GlobalFree.KERNEL32(00000000), ref: 00492DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,004AFC38,00000000), ref: 00492DDB
GlobalFree.KERNEL32(00000000), ref: 00492DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00492E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00492E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0049303F

Strings

, xrefs: 00492FC5
DISPLAY, xrefs: 00492EA2
AutoIt v3, xrefs: 00492CF2
static, xrefs: 00492D3A, 00492E91

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 48e8eb2a03e54829c18017eeefd8fa3ca7c4d6be2a3aa6711a90ad40ac848b43
Instruction ID: ffe006199e9f278330d7a5bd163bf6eceddee57d23d595ee7ffd9f292397d65f
Opcode Fuzzy Hash: 48e8eb2a03e54829c18017eeefd8fa3ca7c4d6be2a3aa6711a90ad40ac848b43
Instruction Fuzzy Hash: 8B027D71A00205AFDB14DF64CD89EAE7FB9EF49314F008169F915AB2A1DB74AD01CF68

Function 004A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004A712F
GetSysColorBrush.USER32(0000000F), ref: 004A7160
GetSysColor.USER32(0000000F), ref: 004A716C
SetBkColor.GDI32(?,000000FF), ref: 004A7186
SelectObject.GDI32(?,?), ref: 004A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004A71C0
GetSysColor.USER32(00000010), ref: 004A71C8
CreateSolidBrush.GDI32(00000000), ref: 004A71CF
FrameRect.USER32(?,?,00000000), ref: 004A71DE
DeleteObject.GDI32(00000000), ref: 004A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004A7230
FillRect.USER32(?,?,?), ref: 004A7262
GetWindowLongW.USER32(?,000000F0), ref: 004A7284

Part of subcall function 004A73E8: GetSysColor.USER32(00000012), ref: 004A7421
Part of subcall function 004A73E8: SetTextColor.GDI32(?,?), ref: 004A7425
Part of subcall function 004A73E8: GetSysColorBrush.USER32(0000000F), ref: 004A743B
Part of subcall function 004A73E8: GetSysColor.USER32(0000000F), ref: 004A7446
Part of subcall function 004A73E8: GetSysColor.USER32(00000011), ref: 004A7463
Part of subcall function 004A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004A7471
Part of subcall function 004A73E8: SelectObject.GDI32(?,00000000), ref: 004A7482
Part of subcall function 004A73E8: SetBkColor.GDI32(?,00000000), ref: 004A748B
Part of subcall function 004A73E8: SelectObject.GDI32(?,?), ref: 004A7498
Part of subcall function 004A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004A74B7
Part of subcall function 004A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004A74CE
Part of subcall function 004A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004A74DB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 79811bd10455c74d44160325d85a4c18f99e9d6759bb3a73998c6e0f9f55fc5d
Instruction ID: f9750ebc21ed2f779264fe058ba64ec8d91ebe6f7ce6eb81098d1e806a156fdc
Opcode Fuzzy Hash: 79811bd10455c74d44160325d85a4c18f99e9d6759bb3a73998c6e0f9f55fc5d
Instruction Fuzzy Hash: 21A1B072508311BFDB509F60DC88A6B7BE9FF4A320F100A29F962961E1D734E945CF56

Function 00492711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0049273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0049286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00492900
GetClientRect.USER32(00000000,?), ref: 0049290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00492955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00492964
GetStockObject.GDI32(00000011), ref: 00492974
SelectObject.GDI32(00000000,00000000), ref: 00492978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00492988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00492991
DeleteDC.GDI32(00000000), ref: 0049299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00492A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00492A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00492A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00492A77
GetStockObject.GDI32(00000011), ref: 00492A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00492A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00492A97

Strings

msctls_progress32, xrefs: 00492A13
DISPLAY, xrefs: 0049295A
AutoIt v3, xrefs: 004928F8
static, xrefs: 0049294F, 00492A71

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f02e6e03209e82f10c4dcfa8a99c1eccd857aca8c649c6cbd17841e4bc6b8f98
Instruction ID: ac55f365a4a78227d321ccebc7043afebb5a7eabf6cfe2735ba8c94126c14207
Opcode Fuzzy Hash: f02e6e03209e82f10c4dcfa8a99c1eccd857aca8c649c6cbd17841e4bc6b8f98
Instruction Fuzzy Hash: BFB16D71A40215BFEB14DFA8CD85FAF7BA9EB05714F004129F914EB2A1D774AD40CBA8

Function 00484ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00484AED
GetDriveTypeW.KERNEL32(?,004ACB68,?,\\.\,004ACC08), ref: 00484BCA
SetErrorMode.KERNEL32(00000000,004ACB68,?,\\.\,004ACC08), ref: 00484D36

Strings

Fixed, xrefs: 00484C09
Network, xrefs: 00484C02
Unknown, xrefs: 00484BED, 00484C83
RAID, xrefs: 00484CBB
SSD, xrefs: 00484C4A
SAS, xrefs: 00484CC9
iSCSI, xrefs: 00484CC2
FileBackedVirtual, xrefs: 00484CEC
MMC, xrefs: 00484CDE
SATA, xrefs: 00484CD0
ATAPI, xrefs: 00484C91
SCSI, xrefs: 00484C8A
\\.\, xrefs: 00484B3F
Virtual, xrefs: 00484CE5
USB, xrefs: 00484CB4
Removable, xrefs: 00484C10, 00484C15
PhysicalDrive, xrefs: 00484B76
CDROM, xrefs: 00484BFB
SSA, xrefs: 00484CA6
ATA, xrefs: 00484C98
Fibre, xrefs: 00484CAD
1394, xrefs: 00484C9F
RAMDisk, xrefs: 00484BF4

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7ebe6ad75f755881f33468f4446c242a2916dd2afe087671c2a08d4cf28eaebd
Instruction ID: 427a2dd218af584eb15e7a214791de95c45331cfc946f5d6ba2a1a272927d42f
Opcode Fuzzy Hash: 7ebe6ad75f755881f33468f4446c242a2916dd2afe087671c2a08d4cf28eaebd
Instruction Fuzzy Hash: 8161C2307011079BCB04FF24C991AADB7A5AB84744B22881BF806AB751DB7DED42DB5E

Function 004A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004A7421
SetTextColor.GDI32(?,?), ref: 004A7425
GetSysColorBrush.USER32(0000000F), ref: 004A743B
GetSysColor.USER32(0000000F), ref: 004A7446
CreateSolidBrush.GDI32(?), ref: 004A744B
GetSysColor.USER32(00000011), ref: 004A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004A7471
SelectObject.GDI32(?,00000000), ref: 004A7482
SetBkColor.GDI32(?,00000000), ref: 004A748B
SelectObject.GDI32(?,?), ref: 004A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004A7572
DrawFocusRect.USER32(?,?), ref: 004A757D
GetSysColor.USER32(00000011), ref: 004A758E
SetTextColor.GDI32(?,00000000), ref: 004A7596
DrawTextW.USER32(?,004A70F5,000000FF,?,00000000), ref: 004A75A8
SelectObject.GDI32(?,?), ref: 004A75BF
DeleteObject.GDI32(?), ref: 004A75CA
SelectObject.GDI32(?,?), ref: 004A75D0
DeleteObject.GDI32(?), ref: 004A75D5
SetTextColor.GDI32(?,?), ref: 004A75DB
SetBkColor.GDI32(?,?), ref: 004A75E5

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 451ad3a45c190d7c0feaac5a8700b645fd34013607fb99537827ae0f0d476815
Instruction ID: 08a8fdc4e1a997d8656ee657d41150064e53ff0c03ac1a4196fc342feacf585f
Opcode Fuzzy Hash: 451ad3a45c190d7c0feaac5a8700b645fd34013607fb99537827ae0f0d476815
Instruction Fuzzy Hash: 41615F72D04218BFDF119FA4DC89AAE7FB9EB0A320F114125F915AB2A1D7749940CF94

Function 004A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004A1128
GetDesktopWindow.USER32 ref: 004A113D
GetWindowRect.USER32(00000000), ref: 004A1144
GetWindowLongW.USER32(?,000000F0), ref: 004A1199
DestroyWindow.USER32(?), ref: 004A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004A1245
IsWindowVisible.USER32(00000000), ref: 004A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004A12D0
GetWindowRect.USER32(00000000,?), ref: 004A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004A130E
GetMonitorInfoW.USER32(00000000,?), ref: 004A1328
CopyRect.USER32(?,?), ref: 004A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004A13AA

Strings

0, xrefs: 004A10D3
(, xrefs: 004A131B
tooltips_class32, xrefs: 004A11E6

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 22dc715e092b7db86997d443cd8f30914446447dd2da8694ece98b2402bc7719
Instruction ID: 0ffc2c64c37b8490d36b32f9974f36d28d8c94be82043d8f3acc072a01946b38
Opcode Fuzzy Hash: 22dc715e092b7db86997d443cd8f30914446447dd2da8694ece98b2402bc7719
Instruction Fuzzy Hash: 94B1AE71608340AFD700DF65C884BABBBE4FF99354F00891EF9999B261C735E845CB99

Function 004A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A02E5
_wcslen.LIBCMT ref: 004A031F
_wcslen.LIBCMT ref: 004A0389
_wcslen.LIBCMT ref: 004A03F1
_wcslen.LIBCMT ref: 004A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004A0504

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

Part of subcall function 0047223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00472258
Part of subcall function 0047223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0047228A

Strings

SELECTCLEAR, xrefs: 004A052D
GETSELECTED, xrefs: 004A05E1
SELECTINVERT, xrefs: 004A057E
ISSELECTED, xrefs: 004A04DD
GETITEMCOUNT, xrefs: 004A0316, 004A0337
GETTEXT, xrefs: 004A03EC, 004A0407
GETSUBITEMCOUNT, xrefs: 004A0384, 004A039F
VIEWCHANGE, xrefs: 004A0675
GETSELECTEDCOUNT, xrefs: 004A0470, 004A048B
DESELECT, xrefs: 004A059C
SELECT, xrefs: 004A0548
SELECTALL, xrefs: 004A0515
FINDITEM, xrefs: 004A0627

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 8bae7d9e2864a4c7ddbb3d1f7814e8f1ae5bb241f1fc9bbb8b66333534eb2381
Instruction ID: 18ae399115aa6f0accb2650a70511161145c9c3628812edb00ffb1e0d68a9a9c
Opcode Fuzzy Hash: 8bae7d9e2864a4c7ddbb3d1f7814e8f1ae5bb241f1fc9bbb8b66333534eb2381
Instruction Fuzzy Hash: 9FE1D3312082009FC714DF25C55096BB3E2BFA9718F54496FF8969B391D738ED45CB8A

Function 00428891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00428968
GetSystemMetrics.USER32(00000007), ref: 00428970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0042899B
GetSystemMetrics.USER32(00000008), ref: 004289A3
GetSystemMetrics.USER32(00000004), ref: 004289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00428A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00428A3C
GetClientRect.USER32(00000000,000000FF), ref: 00428A5A
GetStockObject.GDI32(00000011), ref: 00428A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00428A81

Part of subcall function 0042912D: GetCursorPos.USER32(?), ref: 00429141
Part of subcall function 0042912D: ScreenToClient.USER32(00000000,?), ref: 0042915E
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000001), ref: 00429183
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000002), ref: 0042919D

SetTimer.USER32(00000000,00000000,00000028,004290FC), ref: 00428AA8

Strings

AutoIt v3 GUI, xrefs: 00428A20

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b0d444c9a4e648238a9ee43033c73ecde41753783aa0494a8d7b3f174e1e979a
Instruction ID: f0d2f4109e6c040b0ed59e70fe219348a0646202f3286822d3bfbae8bd7143cb
Opcode Fuzzy Hash: b0d444c9a4e648238a9ee43033c73ecde41753783aa0494a8d7b3f174e1e979a
Instruction Fuzzy Hash: 6DB1A171A002199FDB14DF68DC85BAE3BB5FB48315F11422AFA05EB290DB38E841CF59

Function 00470D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
Part of subcall function 004710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
Part of subcall function 004710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
Part of subcall function 004710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00470DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00470E29
GetLengthSid.ADVAPI32(?), ref: 00470E40
GetAce.ADVAPI32(?,00000000,?), ref: 00470E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00470E96
GetLengthSid.ADVAPI32(?), ref: 00470EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00470EB5
HeapAlloc.KERNEL32(00000000), ref: 00470EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00470EDD
CopySid.ADVAPI32(00000000), ref: 00470EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00470F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00470F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00470F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F6E
HeapFree.KERNEL32(00000000), ref: 00470F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F7E
HeapFree.KERNEL32(00000000), ref: 00470F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F8E
HeapFree.KERNEL32(00000000), ref: 00470F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00470FA1
HeapFree.KERNEL32(00000000), ref: 00470FA8

Part of subcall function 00471193: GetProcessHeap.KERNEL32(00000008,00470BB1,?,00000000,?,00470BB1,?), ref: 004711A1
Part of subcall function 00471193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470BB1,?), ref: 004711A8
Part of subcall function 00471193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00470BB1,?), ref: 004711B7

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ad664e0038d737355d8e93589271598f1583315f857685ac41813197bac5a640
Instruction ID: 7099d9c0095d656a1b53d86a66b4f77c82821f2cff5746ffa2e987abacfeea12
Opcode Fuzzy Hash: ad664e0038d737355d8e93589271598f1583315f857685ac41813197bac5a640
Instruction Fuzzy Hash: 60714CB290520AEBDB20DFA5DC44BEFBBB8BF05300F148126F919B6291D7759905CF68

Function 0049C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004ACC08,00000000,?,00000000,?,?), ref: 0049C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0049C5A4
_wcslen.LIBCMT ref: 0049C5F4
_wcslen.LIBCMT ref: 0049C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0049C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0049C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0049C84D
RegCloseKey.ADVAPI32(?), ref: 0049C881
RegCloseKey.ADVAPI32(00000000), ref: 0049C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0049C960

Strings

REG_MULTI_SZ, xrefs: 0049C6F5
REG_DWORD, xrefs: 0049C804
REG_QWORD, xrefs: 0049C8C3
REG_BINARY, xrefs: 0049C913
REG_EXPAND_SZ, xrefs: 0049C5CD
REG_SZ, xrefs: 0049C644

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 0756e1dec197e87afd305b5f03dde4b7c9ae57013a305f2da79799aed6ee13b7
Instruction ID: 4da2fe471f31ca3bfbd45d4141142f24a7ff825f6c59403002ef929b4aecf9e9
Opcode Fuzzy Hash: 0756e1dec197e87afd305b5f03dde4b7c9ae57013a305f2da79799aed6ee13b7
Instruction Fuzzy Hash: ED1280312042019FDB14DF15C491A6ABBE5FF88358F05886EF8499B3A2DB39FC41CB89

Function 004A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A09C6
_wcslen.LIBCMT ref: 004A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004A0A54
_wcslen.LIBCMT ref: 004A0A8A
_wcslen.LIBCMT ref: 004A0B06
_wcslen.LIBCMT ref: 004A0B81

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

Part of subcall function 00472BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00472BFA

Strings

GETTOTALCOUNT, xrefs: 004A09F2, 004A0A17
COLLAPSE, xrefs: 004A0B01, 004A0B1C
UNCHECK, xrefs: 004A0D3E
GETSELECTED, xrefs: 004A0C4E
CHECK, xrefs: 004A0A85, 004A0AA0
GETTEXT, xrefs: 004A0C97
EXPAND, xrefs: 004A0BF8
EXISTS, xrefs: 004A0B7C, 004A0B97
SELECT, xrefs: 004A0D11
GETITEMCOUNT, xrefs: 004A0C1E
ISCHECKED, xrefs: 004A0CE1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0720a5bfdb4e81eb8932f2283124a063d73bb46e898ebb9025f98d16490c2fe7
Instruction ID: 71bb98aa1d0cb647c24a067f9355aa1627f251d85bc7f1c45857d5aefb18cbd5
Opcode Fuzzy Hash: 0720a5bfdb4e81eb8932f2283124a063d73bb46e898ebb9025f98d16490c2fe7
Instruction Fuzzy Hash: 13E1D1712083019FC714DF25C45096AB7E2BFA9318F50895FF8999B3A2D738ED45CB8A

Function 0049C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
_wcslen.LIBCMT ref: 0049C9F1
_wcslen.LIBCMT ref: 0049CA68
_wcslen.LIBCMT ref: 0049CA9E
_wcslen.LIBCMT ref: 0049CAF9
_wcslen.LIBCMT ref: 0049CB2F
_wcslen.LIBCMT ref: 0049CB7F

Strings

HKCC, xrefs: 0049CBAC
HKEY_CURRENT_CONFIG, xrefs: 0049CB79, 0049CB7E
HKEY_USERS, xrefs: 0049CBDF
HKEY_CURRENT_USER, xrefs: 0049CBBD
HKCU, xrefs: 0049CBCE
HKEY_LOCAL_MACHINE, xrefs: 0049CA62, 0049CA67
HKCR, xrefs: 0049CB29, 0049CB2E
HKLM, xrefs: 0049CA98, 0049CA9D
HKEY_CLASSES_ROOT, xrefs: 0049CAF3, 0049CAF8
HKU, xrefs: 0049CBF0

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: bac4f9cd323f08682ec5b06894ef53aa53b38e830bd08fb05a1defae5ff1d7ed
Instruction ID: d5d863f6c86e870ab54e73c1e16bf93cde290a1e23b92c2b14424a1a4fa95069
Opcode Fuzzy Hash: bac4f9cd323f08682ec5b06894ef53aa53b38e830bd08fb05a1defae5ff1d7ed
Instruction Fuzzy Hash: 3071023260012A8BCF20DE78D9D16BF3B91AFA4764B50453BE85697384E63CDD8583AC

Function 004A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A835A
_wcslen.LIBCMT ref: 004A836E
_wcslen.LIBCMT ref: 004A8391
_wcslen.LIBCMT ref: 004A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004A5BF2), ref: 004A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004A8501
FreeLibrary.KERNEL32(?), ref: 004A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004A851D
DestroyIcon.USER32(?,?,?,?,?,004A5BF2), ref: 004A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004A8555

Strings

.icl, xrefs: 004A8368
.exe, xrefs: 004A8388
.dll, xrefs: 004A83AB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a0ba2eaa562fba035ce4f5868e329f6d95a4f8662d8f1f7125fc70b63ca8b933
Instruction ID: 87c3c71bab557bf3440b5ae3ca86f648046470f02ca5c71676a4d27e303ff600
Opcode Fuzzy Hash: a0ba2eaa562fba035ce4f5868e329f6d95a4f8662d8f1f7125fc70b63ca8b933
Instruction Fuzzy Hash: E061DF71900215BEEB14DF64CC81BFF7BA8FB19720F10451AF815DA1D1EB78A980CBA8

Function 00417778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00417847
#pragma compile, xrefs: 004177D3
', xrefs: 00455169
Cannot parse #include, xrefs: 00455279
Bad directive syntax error, xrefs: 0045519A
#notrayicon, xrefs: 004177E7
#requireadmin, xrefs: 004177FF
#comments-start, xrefs: 0041785F, 004178B1
#include-once, xrefs: 0041782F
#comments-end, xrefs: 004178D9
Unterminated group of comments, xrefs: 0045528C
", xrefs: 00455153
#ce, xrefs: 004178ED
#cs, xrefs: 00417873, 004178C5
#OnAutoItStartRegister, xrefs: 00417817

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f411fb7243e94d1bee2b32433ba4b0c498b7c09fda2dbc395a8a15400733ea79
Instruction ID: 9163805a9ffd9d5412d66ca13c160e931ca9fb4f2aefb45c61f1c69912936ce9
Opcode Fuzzy Hash: f411fb7243e94d1bee2b32433ba4b0c498b7c09fda2dbc395a8a15400733ea79
Instruction Fuzzy Hash: B681F470A40605ABDB20AF61DC52FEF7B74AF15304F04402BF805AA292EB7CD985C79D

Function 00475A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00475A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00475A40
SetWindowTextW.USER32(?,?), ref: 00475A57
GetDlgItem.USER32(?,000003EA), ref: 00475A6C
SetWindowTextW.USER32(00000000,?), ref: 00475A72
GetDlgItem.USER32(?,000003E9), ref: 00475A82
SetWindowTextW.USER32(00000000,?), ref: 00475A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00475AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00475AC3
GetWindowRect.USER32(?,?), ref: 00475ACC
_wcslen.LIBCMT ref: 00475B33
SetWindowTextW.USER32(?,?), ref: 00475B6F
GetDesktopWindow.USER32 ref: 00475B75
GetWindowRect.USER32(00000000), ref: 00475B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00475BD3
GetClientRect.USER32(?,?), ref: 00475BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00475C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00475C2F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 15b77cc3a12dcd2901aa2ecc5caedef83fd7d4d0605f2cc54582615693e99587
Instruction ID: d68c9926c70e6a31f208645eeaef471f8df6a7d1c520532eabc3135bfbba4c8e
Opcode Fuzzy Hash: 15b77cc3a12dcd2901aa2ecc5caedef83fd7d4d0605f2cc54582615693e99587
Instruction Fuzzy Hash: CE718231900B059FDB20DFA8CE85AAFBBF5FF48704F104529E146A66A0D7B4F944CB54

Function 004730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047318D
_wcslen.LIBCMT ref: 004731F8

Strings

INSTANCE, xrefs: 00473453
TEXT, xrefs: 0047347C
CLASS, xrefs: 00473188, 004731A5
CLASSNN, xrefs: 004731F3, 00473204
NAME, xrefs: 00473335, 00473346
REGEXPCLASS, xrefs: 00473255, 00473266
[M, xrefs: 0047339A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[M
API String ID: 176396367-3897780819
Opcode ID: b96623a95b347f7aca3d4d8b97c3991ae9194941cbfa1ecd679a5c21578a44c8
Instruction ID: aa63f2a369256b94df989cc275171d9e3d6b15e2fc1709ac387eae9b27f71ea6
Opcode Fuzzy Hash: b96623a95b347f7aca3d4d8b97c3991ae9194941cbfa1ecd679a5c21578a44c8
Instruction Fuzzy Hash: 90E1E432A00516ABCB289F74C4517EEBBB0BF44715F54C12BE45AB7340DF38AE85A798

Function 004300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004300C6

Part of subcall function 004300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004E070C,00000FA0,D61C9491,?,?,?,?,004523B3,000000FF), ref: 0043011C
Part of subcall function 004300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004523B3,000000FF), ref: 00430127
Part of subcall function 004300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004523B3,000000FF), ref: 00430138
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0043014E
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0043015C
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0043016A
Part of subcall function 004300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00430195
Part of subcall function 004300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004301A0

___scrt_fastfail.LIBCMT ref: 004300E7

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

Strings

InitializeConditionVariable, xrefs: 00430148
SleepConditionVariableCS, xrefs: 00430154
kernel32.dll, xrefs: 00430133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00430122
WakeAllConditionVariable, xrefs: 00430162

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 8424aec140013ab03561fba2c7cc318467006b6a89ece3e2d06ac802320f4b1a
Instruction ID: d4bd76f16599715a784a70480cebc38e1d83c7f5d8cb9fa6486302071be1f816
Opcode Fuzzy Hash: 8424aec140013ab03561fba2c7cc318467006b6a89ece3e2d06ac802320f4b1a
Instruction Fuzzy Hash: 2E21FC32B447106BDB116BA5AC55B6A77E4DB1AB61F10033BF801A7791DBBD5C008A9C

Function 004844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004ACC08), ref: 00484527
_wcslen.LIBCMT ref: 0048453B
_wcslen.LIBCMT ref: 00484599
_wcslen.LIBCMT ref: 004845F4
_wcslen.LIBCMT ref: 0048463F
_wcslen.LIBCMT ref: 004846A7

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

GetDriveTypeW.KERNEL32(?,004D6BF0,00000061), ref: 00484743

Strings

fixed, xrefs: 00484635, 0048463A
network, xrefs: 0048469D, 004846A2
cdrom, xrefs: 0048458F, 00484594
ramdisk, xrefs: 004846F1
removable, xrefs: 004845EA, 004845EF
unknown, xrefs: 00484708
all, xrefs: 00484531, 00484536

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a2d2277e741d4015f6cde9329ad8f7ab1f6da727179d9b750c3183022b816716
Instruction ID: 0698786d47ba9e68c8ff4849903cbcedee9b381c6aae5198ddae73ed37c08107
Opcode Fuzzy Hash: a2d2277e741d4015f6cde9329ad8f7ab1f6da727179d9b750c3183022b816716
Instruction Fuzzy Hash: BFB1DE316083029BC310EF29C890A6FB7E5AFE5724F504D1FF59697291E738E845CB5A

Function 004A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DragQueryPoint.SHELL32(?,?), ref: 004A9147

Part of subcall function 004A7674: ClientToScreen.USER32(?,?), ref: 004A769A
Part of subcall function 004A7674: GetWindowRect.USER32(?,?), ref: 004A7710
Part of subcall function 004A7674: PtInRect.USER32(?,?,004A8B89), ref: 004A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004A9277
DragFinish.SHELL32(?), ref: 004A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004A9371

Strings

@GUI_DROPID, xrefs: 004A929E
@GUI_DRAGID, xrefs: 004A92E9
p#N, xrefs: 004A92BB
@GUI_DRAGFILE, xrefs: 004A9320

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#N
API String ID: 221274066-3777839306
Opcode ID: fb11f4cb25d4cca32d578a96fd01ea80aff25c89b9804c16dc353d1a40ead24b
Instruction ID: 1a6b1795c3cc3da4ae714f8f05d55f9eeb9ab44cdba21cae6a91b786647a3ec2
Opcode Fuzzy Hash: fb11f4cb25d4cca32d578a96fd01ea80aff25c89b9804c16dc353d1a40ead24b
Instruction Fuzzy Hash: 56618D71108300AFC701EF65DC85EAFBBE8EF99354F00092EF595931A1DB749A49CB9A

Function 0041326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004E1990), ref: 00452F8D
GetMenuItemCount.USER32(004E1990), ref: 0045303D
GetCursorPos.USER32(?), ref: 00453081
SetForegroundWindow.USER32(00000000), ref: 0045308A
TrackPopupMenuEx.USER32(004E1990,00000000,?,00000000,00000000,00000000), ref: 0045309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004530A9

Strings

0, xrefs: 0041327D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 599c75741219997bade773841e3042aadca866dce69520f094be17eced15d794
Instruction ID: d52a3e0dce57be7f60c5b77a1431bcbed5ec4adafd949a2b997b8c1421e7ff8d
Opcode Fuzzy Hash: 599c75741219997bade773841e3042aadca866dce69520f094be17eced15d794
Instruction Fuzzy Hash: 7D716931640205BEEB219F24DC89FDBBF64FF02365F204217F9146A2E1C7B9A954DB98

Function 004A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 004A6DEB

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A6E94
DestroyWindow.USER32(?), ref: 004A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00410000,00000000), ref: 004A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A6EFD
GetDesktopWindow.USER32 ref: 004A6F16
GetWindowRect.USER32(00000000), ref: 004A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004A6F4D

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

Strings

0, xrefs: 004A6D98
tooltips_class32, xrefs: 004A6E58, 004A6EDD

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e0cd5f90fcd73690cf8c5ab392a1d1636a5a422d21d77e6fbddd6ac0f1e6dbee
Instruction ID: 480449d6847d523ead7291c8894ffbcea8572c8879d447d827b19be4b4543d40
Opcode Fuzzy Hash: e0cd5f90fcd73690cf8c5ab392a1d1636a5a422d21d77e6fbddd6ac0f1e6dbee
Instruction Fuzzy Hash: 16716B74144244AFDB21CF18DC84BABBBE9FB9A304F49042EF999873A1C774E905CB19

Function 0048C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0048C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0048C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0048C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0048C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0048C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0048C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0048C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0048C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0048C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0048C5F0
InternetCloseHandle.WININET(00000000), ref: 0048C5FB

Strings

, xrefs: 0048C575

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 68fb875449e4cc42c6dca594d0758b07764563a79b01867c82de9594eaedf6e5
Instruction ID: e6696c870a8f472e951e1b2e8277b7b114244663c75e5189ff1b9eef0f6f2f84
Opcode Fuzzy Hash: 68fb875449e4cc42c6dca594d0758b07764563a79b01867c82de9594eaedf6e5
Instruction Fuzzy Hash: B0515DB5500205BFDB21AF61C9C8AAF7BFCFF09754F00482AF94596250DB38E9449B78

Function 004A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 004A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85BA
GlobalLock.KERNEL32(00000000), ref: 004A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85D7
GlobalUnlock.KERNEL32(00000000), ref: 004A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,004AFC38,?), ref: 004A8611
GlobalFree.KERNEL32(00000000), ref: 004A8621
GetObjectW.GDI32(?,00000018,?), ref: 004A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004A8671
DeleteObject.GDI32(?), ref: 004A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004A86AF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3109d90dc184fdbb912968a58aa33ab52785152fe92feac7fc2717fb69d8b838
Instruction ID: e6ec7d9842439c99f61616a9e84471a96dcc8ccf038acd46d5fdce04b350a222
Opcode Fuzzy Hash: 3109d90dc184fdbb912968a58aa33ab52785152fe92feac7fc2717fb69d8b838
Instruction Fuzzy Hash: DF41FA75A00208BFDB519FA5DC88EAB7BB8FF9A711F144069F905E7260DB349901CB68

Function 004814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00481502
VariantCopy.OLEAUT32(?,?), ref: 0048150B
VariantClear.OLEAUT32(?), ref: 00481517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00481657
VariantInit.OLEAUT32(?), ref: 00481708
SysFreeString.OLEAUT32(?), ref: 0048178C
VariantClear.OLEAUT32(?), ref: 004817D8
VariantClear.OLEAUT32(?), ref: 004817E7
VariantInit.OLEAUT32(00000000), ref: 00481823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00481625
Default, xrefs: 004816AF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 3fbde793710cdd8c8cce8e6f3137ed7e9cfcbed7b6e1077be044644378c51f0b
Instruction ID: 1e7e7bfefe4b90ca68e4988ad8633cfb91fafc46916d762e6377b0326fef6c0c
Opcode Fuzzy Hash: 3fbde793710cdd8c8cce8e6f3137ed7e9cfcbed7b6e1077be044644378c51f0b
Instruction Fuzzy Hash: 62D11571600111EBDB00AF69E884B7DB7B9BF45700F50886BF446AB2A0DB38DC47DB5A

Function 0049B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0049B80A
RegCloseKey.ADVAPI32(?), ref: 0049B87E
RegCloseKey.ADVAPI32(?), ref: 0049B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0049B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0049B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0049B922
FreeLibrary.KERNEL32(00000000), ref: 0049B983
RegCloseKey.ADVAPI32(00000000), ref: 0049B994

Strings

advapi32.dll, xrefs: 0049B8ED
RegDeleteKeyExW, xrefs: 0049B8FE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f4dfe2cbd5043bef8a05754c3a9d85b1d30be51a35c1f5ef1db0f3418d6acc88
Instruction ID: fa615ed0b01782387e58b718d2a11691133ab1bdceb8145f8568586ea849ea40
Opcode Fuzzy Hash: f4dfe2cbd5043bef8a05754c3a9d85b1d30be51a35c1f5ef1db0f3418d6acc88
Instruction Fuzzy Hash: DAC18F70204201AFDB10DF15D594F2ABBE5FF84308F1485AEE5994B3A2C779EC46CB95

Function 0049255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004925E8
CreateCompatibleDC.GDI32(?), ref: 004925F4
SelectObject.GDI32(00000000,?), ref: 00492601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0049266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004926D0
SelectObject.GDI32(?,?), ref: 004926D8
DeleteObject.GDI32(?), ref: 004926E1
DeleteDC.GDI32(?), ref: 004926E8
ReleaseDC.USER32(00000000,?), ref: 004926F3

Strings

(, xrefs: 0049268D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e95659545875e1d004cceb4e685eabb7c544d96475c47d8fd22ff6ad7b67be19
Instruction ID: afe30b257a05467c9fec05000a697a3f78429f877108e9f3009296d23cb2d67e
Opcode Fuzzy Hash: e95659545875e1d004cceb4e685eabb7c544d96475c47d8fd22ff6ad7b67be19
Instruction Fuzzy Hash: 6561D1B5E00219EFCF05CFA4D984AAEBBB5FF48310F20852AE955A7250E774A941CF94

Function 0044DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044DAA1

Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D659
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D66B
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D67D
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D68F
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6A1
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6B3
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6C5
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6D7
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6E9
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6FB
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D70D
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D71F
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D731

_free.LIBCMT ref: 0044DA96

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044DAB8
_free.LIBCMT ref: 0044DACD
_free.LIBCMT ref: 0044DAD8
_free.LIBCMT ref: 0044DAFA
_free.LIBCMT ref: 0044DB0D
_free.LIBCMT ref: 0044DB1B
_free.LIBCMT ref: 0044DB26
_free.LIBCMT ref: 0044DB5E
_free.LIBCMT ref: 0044DB65
_free.LIBCMT ref: 0044DB82
_free.LIBCMT ref: 0044DB9A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c105ba9458f2702fb0df8d2a44a6a4991dc3ad4c0ac3a8d1d5cfe33d60b762af
Instruction ID: 0fbc7f903a6bfa94f2bcc192590e3471ce0bd6f3987e2933896b359906d1fcbb
Opcode Fuzzy Hash: c105ba9458f2702fb0df8d2a44a6a4991dc3ad4c0ac3a8d1d5cfe33d60b762af
Instruction Fuzzy Hash: 51316AB1A046459FFB21AA3AE945B5BB7E9FF00314F51442BF049D7291DA78AC40C728

Function 0047365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0047369C
_wcslen.LIBCMT ref: 004736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00473797
GetClassNameW.USER32(?,?,00000400), ref: 0047380C
GetDlgCtrlID.USER32(?), ref: 0047385D
GetWindowRect.USER32(?,?), ref: 00473882
GetParent.USER32(?), ref: 004738A0
ScreenToClient.USER32(00000000), ref: 004738A7
GetClassNameW.USER32(?,?,00000100), ref: 00473921
GetWindowTextW.USER32(?,?,00000400), ref: 0047395D

Strings

%s%u, xrefs: 00473734

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3ee711676b9be292302927535824d43032d8a856ff6ed10647d211009fc797ff
Instruction ID: 7106b567ec3585191244bd828ee75418fe1e49136e2ca5b3a6696f0e1cf8f10d
Opcode Fuzzy Hash: 3ee711676b9be292302927535824d43032d8a856ff6ed10647d211009fc797ff
Instruction Fuzzy Hash: C691C3B1204206AFD718DF24C884BEBB7E8FF44315F00C52AFA9D82250DB38EA45DB95

Function 00474954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00474994
GetWindowTextW.USER32(?,?,00000400), ref: 004749DA
_wcslen.LIBCMT ref: 004749EB
CharUpperBuffW.USER32(?,00000000), ref: 004749F7
_wcsstr.LIBVCRUNTIME ref: 00474A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00474A64
GetWindowTextW.USER32(?,?,00000400), ref: 00474A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00474AE6
GetClassNameW.USER32(?,?,00000400), ref: 00474B20
GetWindowRect.USER32(?,?), ref: 00474B8B

Strings

ThumbnailClass, xrefs: 00474A6F, 00474AF1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a241618ee9a1aff6ab3c65ff6abcf850d1e318a96d8ec44b4220d26f6d52b681
Instruction ID: 3e46f777533f94fe0d5f87b77e93d849d40ddff76415f2c031b173f9daee5041
Opcode Fuzzy Hash: a241618ee9a1aff6ab3c65ff6abcf850d1e318a96d8ec44b4220d26f6d52b681
Instruction Fuzzy Hash: 0D91AC711042059FDB05DE14C981BFBB7E8EF84314F04846BED899A296DB38ED45CBAA

Function 004A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004A8D5A
GetFocus.USER32 ref: 004A8D6A
GetDlgCtrlID.USER32(00000000), ref: 004A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004A8ECF
GetMenuItemCount.USER32(?), ref: 004A8EEC
GetMenuItemID.USER32(?,00000000), ref: 004A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004A8FA1

Strings

0, xrefs: 004A8E9F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 74deb7e831977f8b1bf31d7a4d58a5057a55876bf5879ed525043064042c5e21
Instruction ID: a1483002659df2c769b64139de1c9b98ef7785f78553308075a25c6b183a3a62
Opcode Fuzzy Hash: 74deb7e831977f8b1bf31d7a4d58a5057a55876bf5879ed525043064042c5e21
Instruction Fuzzy Hash: 2C81B371504311AFDB10CF24D884A6BBBE9FFAA314F14092EF985D7291DB78D901CB69

Function 0047DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0047DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0047DC46
_wcslen.LIBCMT ref: 0047DC50
_wcsstr.LIBVCRUNTIME ref: 0047DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0047DCBC

Strings

StringFileInfo\, xrefs: 0047DC8F
04090000, xrefs: 0047DCF2
\VarFileInfo\Translation, xrefs: 0047DCB4
DefaultLangCodepage, xrefs: 0047DD1F
%u.%u.%u.%u, xrefs: 0047DD9A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4b956d91cffcdde20490757a73878f49d6c89f85dcd4412b9b40af461a770d84
Instruction ID: b3fee1bfc6078b955bec20cc79ca37a490acab5d2dd6c5a520f950a9bc8bd273
Opcode Fuzzy Hash: 4b956d91cffcdde20490757a73878f49d6c89f85dcd4412b9b40af461a770d84
Instruction Fuzzy Hash: A8412432A402107ADB15A661AC83FFF37BCDF5A714F50406FF904A2182EB7DA90197AD

Function 0049CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0049CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0049CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0049CD48

Part of subcall function 0049CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0049CCAA
Part of subcall function 0049CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0049CCBD
Part of subcall function 0049CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0049CCCF
Part of subcall function 0049CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0049CD05
Part of subcall function 0049CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0049CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0049CCF3

Strings

advapi32.dll, xrefs: 0049CCB8
RegDeleteKeyExW, xrefs: 0049CCC9

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 96e21358bb9ea3f98390cb7f73ff936c887cce294f6a27e653639b81f8fa2f58
Instruction ID: 7538443a2070a75c8f6738d5cf86d3d8f676141747eedc8856924e3f1a3f32c1
Opcode Fuzzy Hash: 96e21358bb9ea3f98390cb7f73ff936c887cce294f6a27e653639b81f8fa2f58
Instruction Fuzzy Hash: 1B316071A41129BBDB209B95DCC8EFFBF7CEF46754F000176F905E2240D6389E459AA8

Function 0047E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0047E6B4

Part of subcall function 0042E551: timeGetTime.WINMM(?,?,0047E6D4), ref: 0042E555

Sleep.KERNEL32(0000000A), ref: 0047E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0047E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0047E727
SetActiveWindow.USER32 ref: 0047E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0047E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0047E773
Sleep.KERNEL32(000000FA), ref: 0047E77E
IsWindow.USER32 ref: 0047E78A
EndDialog.USER32(00000000), ref: 0047E79B

Strings

BUTTON, xrefs: 0047E719

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0ce4e31316d84ee1a9df28ce108d7ae3b03154ccf470b9ad86f47536e608884c
Instruction ID: 494c76b985108189b84701e682c771b886766d41e0b061f8c7d00f00864028ea
Opcode Fuzzy Hash: 0ce4e31316d84ee1a9df28ce108d7ae3b03154ccf470b9ad86f47536e608884c
Instruction Fuzzy Hash: 0121D4B0200244AFEB105F36EDC9A663F6DF71A349F108676F409952B2DBB5AC009A2C

Function 0047E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0047EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0047EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0047EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0047EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0047EAA7

Strings

status PlayMe mode, xrefs: 0047EA58
open , xrefs: 0047EA0C
close PlayMe, xrefs: 0047EA6E, 0047EA9B
play PlayMe wait, xrefs: 0047EA91
play PlayMe, xrefs: 0047EAA2
alias PlayMe, xrefs: 0047EA36

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: df8e3da0a5e259090cab6440a6af7588a6aaf42412739cb9de69359772a0b638
Instruction ID: 185efa22bfd07092d35c6ad2d555b2b30407d90891556a1a8f714cf41da1f940
Opcode Fuzzy Hash: df8e3da0a5e259090cab6440a6af7588a6aaf42412739cb9de69359772a0b638
Instruction Fuzzy Hash: 6E11E370A9021979D720A7A2DC6AEFF6B7CEBC1F04F10046BB801A21D0EE781D45C9B8

Function 00475CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00475CE2
GetWindowRect.USER32(00000000,?), ref: 00475CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00475D59
GetDlgItem.USER32(?,00000002), ref: 00475D69
GetWindowRect.USER32(00000000,?), ref: 00475D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00475DCF
GetDlgItem.USER32(?,000003E9), ref: 00475DDD
GetWindowRect.USER32(00000000,?), ref: 00475DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00475E31
GetDlgItem.USER32(?,000003EA), ref: 00475E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00475E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00475E67

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 85fce70f1bc3c6a58b00dbe9f269ff0012521eeb4d645d9ced75c338d75638a7
Instruction ID: 7af9dc3cde50717f7a15d0e0f9f9ffc130238e322a778124ca07208abb8f559d
Opcode Fuzzy Hash: 85fce70f1bc3c6a58b00dbe9f269ff0012521eeb4d645d9ced75c338d75638a7
Instruction Fuzzy Hash: 3C510E71B00605AFDF18CFA8DD89AAEBBB5FB48300F548129F519E7290D7749E04CB54

Function 00428BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00428F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00428BE8,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428FC5

DestroyWindow.USER32(?), ref: 00428C81
KillTimer.USER32(00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00466973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 004669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 004669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000), ref: 004669D4
DeleteObject.GDI32(00000000), ref: 004669E6

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d312ec482637de34eab6c8cb0abf800ef1d87be553b45fe41c1f9b4440f380c5
Instruction ID: 6c6c78c700273877c720b5be97dd70d0af4906cd395b8db5d91e4763b518ce99
Opcode Fuzzy Hash: d312ec482637de34eab6c8cb0abf800ef1d87be553b45fe41c1f9b4440f380c5
Instruction Fuzzy Hash: FA61C170202620DFDB219F15EA88B2A7BF1FB41316F55452EE0429B671CB39AC81CF9D

Function 00429838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

GetSysColor.USER32(0000000F), ref: 00429862

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5a4886a40c9aaeaf3bb6ae34570c01d04d3e4fd7cde98486b7776afaba0a22ec
Instruction ID: f874ee9d2f2be3fd10760c2b7717790b9c456f1175dcccdab44d2fb6697bf3e7
Opcode Fuzzy Hash: 5a4886a40c9aaeaf3bb6ae34570c01d04d3e4fd7cde98486b7776afaba0a22ec
Instruction Fuzzy Hash: 1741FA31600650AFDB206F38AC84BBA3B65EB17330F584656F9A2873E2D7349C42DB19

Function 00448D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.C, xrefs: 0044903A, 00448FD0, 00448FF2

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: .C
API String ID: 0-1181961956
Opcode ID: 9b58f5dabe3077509171e732bff81eb824458f57b6083445ac5ab056f66e97ef
Instruction ID: eb9610bd3511200ec6d90fa95a5c7e010e857ca5343351805dd7b5ce85707d63
Opcode Fuzzy Hash: 9b58f5dabe3077509171e732bff81eb824458f57b6083445ac5ab056f66e97ef
Instruction Fuzzy Hash: 1EC1F474D04249AFEF11DFA9D841BAFBBB0AF09314F14409AF814A7392C7798D42DB69

Function 004796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0045F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00479717
LoadStringW.USER32(00000000,?,0045F7F8,00000001), ref: 00479720

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0045F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00479742
LoadStringW.USER32(00000000,?,0045F7F8,00000001), ref: 00479745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00479866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0047984A
Error: , xrefs: 0047981D
^ ERROR, xrefs: 004797FB
Line %d:, xrefs: 004797A0
Line %d (File "%s"):, xrefs: 0047978F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3ee9530a851cd0c7f38de4390686cf59642ea22bf7a459988ec1dc21611975c2
Instruction ID: 47649ed6707ce6315a6fb9766a92006ead74d56158a65ab5c8854d2702f008b9
Opcode Fuzzy Hash: 3ee9530a851cd0c7f38de4390686cf59642ea22bf7a459988ec1dc21611975c2
Instruction Fuzzy Hash: A1416572800119AADF04FBE1CD96DEE7778AF15744F50402BF60572192EB396F88CB69

Function 004706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00470804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0047082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00470837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0047083C

Strings

\CLSID, xrefs: 00470724
\IPC$, xrefs: 00470784
SOFTWARE\Classes\, xrefs: 0047070E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2105aacdd6c737f33dc8ded460abfac6fe9d8952a66773c56c8a4bb317b591c2
Instruction ID: 971b3f1af4e9c7bad6bcaabeef2f6bc07191664b0645e154af9b29989f684920
Opcode Fuzzy Hash: 2105aacdd6c737f33dc8ded460abfac6fe9d8952a66773c56c8a4bb317b591c2
Instruction Fuzzy Hash: 0C413B71C11228EBCF15EFA4DC95CEEB778BF04354F15412AE905A3260EB38AE44CB94

Function 00493C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00493C5C
CoInitialize.OLE32(00000000), ref: 00493C8A
CoUninitialize.OLE32 ref: 00493C94
_wcslen.LIBCMT ref: 00493D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00493DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00493ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00493F0E
CoGetObject.OLE32(?,00000000,004AFB98,?), ref: 00493F2D
SetErrorMode.KERNEL32(00000000), ref: 00493F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00493FC4
VariantClear.OLEAUT32(?), ref: 00493FD8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bd28a41bbed7338230c01f431dd6a8a5859c679330a8b047e730b4abd573d918
Instruction ID: f46ce77e6ea40ec39aeecf3c65ce7f6ba73e3857271a89658ab5552a3a1d6a17
Opcode Fuzzy Hash: bd28a41bbed7338230c01f431dd6a8a5859c679330a8b047e730b4abd573d918
Instruction Fuzzy Hash: 23C158716083059FCB00DF65C88496BBBE9FF8A749F00496EF98A9B210D734EE05CB56

Function 00487A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00487AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00487B8F
SHGetDesktopFolder.SHELL32(?), ref: 00487BA3
CoCreateInstance.OLE32(004AFD08,00000000,00000001,004D6E6C,?), ref: 00487BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00487C74
CoTaskMemFree.OLE32(?,?), ref: 00487CCC
SHBrowseForFolderW.SHELL32(?), ref: 00487D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00487D7A
CoTaskMemFree.OLE32(00000000), ref: 00487D81
CoTaskMemFree.OLE32(00000000), ref: 00487DD6
CoUninitialize.OLE32 ref: 00487DDC

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ace4ab00ce5922a9a9c8ca40bae0e0816c6a52a69b732ec05541eec82ebae35a
Instruction ID: 88d8fb7e9a5a88090902244ea6af08d937b7dc800ece08ee49cd5c22bb9600be
Opcode Fuzzy Hash: ace4ab00ce5922a9a9c8ca40bae0e0816c6a52a69b732ec05541eec82ebae35a
Instruction Fuzzy Hash: 73C13D75A04105AFCB14EFA4C894DAEBBF9FF48308B1484A9E81ADB361D734ED41CB94

Function 004A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A5515
CharNextW.USER32(00000158), ref: 004A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A55AC

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2efb1f7c96c8081bb18d15c9847767f811f787cce9b19fadcfeee2f16e489ed0
Instruction ID: 886126b4b6221783a70d92fb59f16fe1a659533b40aeb0ed112194b5baff34cd
Opcode Fuzzy Hash: 2efb1f7c96c8081bb18d15c9847767f811f787cce9b19fadcfeee2f16e489ed0
Instruction Fuzzy Hash: F161BE71900608FBDF10DF54CD84AFF3BB9EB2B320F104156F925AA291D7388A81DB69

Function 0046FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0046FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0046FB08
VariantInit.OLEAUT32(?), ref: 0046FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0046FB3A
VariantCopy.OLEAUT32(?,?), ref: 0046FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0046FBA1
VariantClear.OLEAUT32(?), ref: 0046FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0046FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046FBCC
VariantClear.OLEAUT32(?), ref: 0046FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046FBE9

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c215a2eadedc096187399e35b036147ca007a2358cc53a2e26fafaf8e74fc690
Instruction ID: 69da9d415d22f4735617171077b00187f906dca4e4e7837b33ff6fada278e84d
Opcode Fuzzy Hash: c215a2eadedc096187399e35b036147ca007a2358cc53a2e26fafaf8e74fc690
Instruction Fuzzy Hash: E9417275A002199FCB00DF64D8949EEBFB9FF49344F00807AE945A7261DB34E945CF99

Function 00479C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00479CA1
GetAsyncKeyState.USER32(000000A0), ref: 00479D22
GetKeyState.USER32(000000A0), ref: 00479D3D
GetAsyncKeyState.USER32(000000A1), ref: 00479D57
GetKeyState.USER32(000000A1), ref: 00479D6C
GetAsyncKeyState.USER32(00000011), ref: 00479D84
GetKeyState.USER32(00000011), ref: 00479D96
GetAsyncKeyState.USER32(00000012), ref: 00479DAE
GetKeyState.USER32(00000012), ref: 00479DC0
GetAsyncKeyState.USER32(0000005B), ref: 00479DD8
GetKeyState.USER32(0000005B), ref: 00479DEA

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7496078645f185c8b955c02ad3bdb58ae11c5035c34322887f17f5e42b53c589
Instruction ID: 105258d4d7e9098a205df19608756355a8728712edbacb0a07328e843bb98f96
Opcode Fuzzy Hash: 7496078645f185c8b955c02ad3bdb58ae11c5035c34322887f17f5e42b53c589
Instruction Fuzzy Hash: 9F41D8345047C96DFF71866484443F7BEA16B12344F08C05BDACA567C2EBAC9DC8C79A

Function 0049055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004905BC
inet_addr.WSOCK32(?), ref: 0049061C
gethostbyname.WSOCK32(?), ref: 00490628
IcmpCreateFile.IPHLPAPI ref: 00490636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004907B9
WSACleanup.WSOCK32 ref: 004907BF

Strings

Ping, xrefs: 00490676

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bc840ad0bb37eee539278ffbf4f931ea58f94f09c5e218e6e7c786f79233be8b
Instruction ID: d698bc833c7678b93aeb067f8947c4fc809515c985cc515df99e0be90776a55b
Opcode Fuzzy Hash: bc840ad0bb37eee539278ffbf4f931ea58f94f09c5e218e6e7c786f79233be8b
Instruction Fuzzy Hash: 49917E35604201AFDB20DF15D488F1ABFE0AF44328F1585AAE4698B7A2C738ED85CF95

Function 00498CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00498CF3

Part of subcall function 00478E54: _wcslen.LIBCMT ref: 00478E77

_wcslen.LIBCMT ref: 00498D4E
_wcslen.LIBCMT ref: 00498D9C
_wcslen.LIBCMT ref: 00498DDC
_wcslen.LIBCMT ref: 00498E6E

Strings

none, xrefs: 00498E65, 00498E6A
winapi, xrefs: 00498D96, 00498D9B
stdcall, xrefs: 00498DD6, 00498DDB
cdecl, xrefs: 00498D48, 00498D4D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2988b8d1db754f97fcb01959b2ec187e4289b9debbd9552d54519e9fb1cf070f
Instruction ID: f2321c66c4dea0c95bd39490f25074e66ef5b59c05288e109135086d3958da2f
Opcode Fuzzy Hash: 2988b8d1db754f97fcb01959b2ec187e4289b9debbd9552d54519e9fb1cf070f
Instruction Fuzzy Hash: 9F519071A001169BCF14DF6DC9609BEBBA5AF66324B21423FE426E7384DB39DD40C798

Function 0049372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00493774
CoUninitialize.OLE32 ref: 0049377F
CoCreateInstance.OLE32(?,00000000,00000017,004AFB78,?), ref: 004937D9
IIDFromString.OLE32(?,?), ref: 0049384C
VariantInit.OLEAUT32(?), ref: 004938E4
VariantClear.OLEAUT32(?), ref: 00493936

Strings

Invalid parameter, xrefs: 00493865
Failed to create object, xrefs: 004937E4, 0049389A
NULL Pointer assignment, xrefs: 0049381E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b7e515fd61e39f531d2e238a45fd2308c25a0814427ae7bcd0934277a01a210d
Instruction ID: c09ade78cfc8693cfbb62d65456be79016457365495fb0cb24c547c6a8c76256
Opcode Fuzzy Hash: b7e515fd61e39f531d2e238a45fd2308c25a0814427ae7bcd0934277a01a210d
Instruction Fuzzy Hash: 6561B070608301AFD710EF55C888B6ABBE4EF4A705F10486FF58597291C778EE49CB9A

Function 00488195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00488257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00488267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00488273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00488310
SetCurrentDirectoryW.KERNEL32(?), ref: 00488324
SetCurrentDirectoryW.KERNEL32(?), ref: 00488356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0048838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00488395

Strings

*.*, xrefs: 0048839B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 80373a1b7d3725b696cef15b87f7b1ed5e1f2b2db72753518e9ec4bd2d1dfda6
Instruction ID: 8c87cecdd7d48a25a21600357a76941b17b959492d1dc5e36fa3645ee2878ee6
Opcode Fuzzy Hash: 80373a1b7d3725b696cef15b87f7b1ed5e1f2b2db72753518e9ec4bd2d1dfda6
Instruction Fuzzy Hash: C6615B725043059FCB10EF61C88099FB3E9FF89318F44896EF98987251DB39E945CB9A

Function 004A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

Part of subcall function 0042912D: GetCursorPos.USER32(?), ref: 00429141
Part of subcall function 0042912D: ScreenToClient.USER32(00000000,?), ref: 0042915E
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000001), ref: 00429183
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000002), ref: 0042919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 004A8B6B
ImageList_EndDrag.COMCTL32 ref: 004A8B71
ReleaseCapture.USER32 ref: 004A8B77
SetWindowTextW.USER32(?,00000000), ref: 004A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004A8CFF

Strings

p#N, xrefs: 004A8C71
@GUI_DROPID, xrefs: 004A8C51
@GUI_DRAGFILE, xrefs: 004A8C9A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#N
API String ID: 1924731296-3991093434
Opcode ID: 9b2404f045f3884a89afc37393a44371415102ad1d7466d96e31b898fb37e317
Instruction ID: 47c12726a45359ca2c067fea2545401927e23d90b7c28c502135f77aac93ccd2
Opcode Fuzzy Hash: 9b2404f045f3884a89afc37393a44371415102ad1d7466d96e31b898fb37e317
Instruction Fuzzy Hash: 33518B70204200AFD704EF15DC95FAA77E4FB89714F400A2EF996572E2DB789D44CB6A

Function 00483388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004833CF

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004833F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00483504
Incorrect parameters to object property !, xrefs: 004834AB
Error: , xrefs: 004834D1
^ ERROR , xrefs: 0048349E
Line %d (File "%s"):, xrefs: 00483443, 0048345C
"%s" (%d) : ==> %s:, xrefs: 00483522

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1142c04a9c81701bb75aae4beb97b563b64bd2f7e18b9087fe87dddb4fc3f9c0
Instruction ID: 7695c21b8b36afe79131069c5ec5d0ca14b9c4d6ae953ec27149b8bd75fa862b
Opcode Fuzzy Hash: 1142c04a9c81701bb75aae4beb97b563b64bd2f7e18b9087fe87dddb4fc3f9c0
Instruction Fuzzy Hash: D051D471900209BADF14EBE1CD52EEEB778AF04744F20446BF50572162EB392F98DB68

Function 0047B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0047B5FC
_wcslen.LIBCMT ref: 0047B608
_wcslen.LIBCMT ref: 0047B64D
_wcslen.LIBCMT ref: 0047B68C
_wcslen.LIBCMT ref: 0047B6C7

Strings

REMOVE, xrefs: 0047B602, 0047B607
APPEND, xrefs: 0047B6C1, 0047B6C6
EXISTS, xrefs: 0047B686, 0047B68B
KEYS, xrefs: 0047B647, 0047B64C

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 05988ba4a17b9c84888d3bbc0106db6ad0fca6b2443a379f5b7f8fc0d0f0e533
Instruction ID: 414aed57adbb56d44630540c850783c453eb60b242e3bbd21be030ebb81c53ac
Opcode Fuzzy Hash: 05988ba4a17b9c84888d3bbc0106db6ad0fca6b2443a379f5b7f8fc0d0f0e533
Instruction Fuzzy Hash: 31412A32A001269ACB106F7D88906FF77A1EFA0758B24812BE629D7384E73DCD81C3D5

Function 00485393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00485416
GetLastError.KERNEL32 ref: 00485420
SetErrorMode.KERNEL32(00000000,READY), ref: 004854A7

Strings

INVALID, xrefs: 00485459
NOTREADY, xrefs: 0048544B
UNKNOWN, xrefs: 00485444
READONLY, xrefs: 00485452
READY, xrefs: 00485460, 00485468

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8dafa5648ace807a1cbe3412b834b70b3b72cad942207dffd6dc4ceda2610241
Instruction ID: cbe64af34b405703c3480dd1aee301c646ac5b5423df9dc3eb6c89aac84d6b26
Opcode Fuzzy Hash: 8dafa5648ace807a1cbe3412b834b70b3b72cad942207dffd6dc4ceda2610241
Instruction Fuzzy Hash: 0231CE35A002049FDB10EF68C484BAEBBB4EF45709F14846BE405CB392DB79DD82CB95

Function 004A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004A3C79
SetMenu.USER32(?,00000000), ref: 004A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A3D10
IsMenu.USER32(?), ref: 004A3D24
CreatePopupMenu.USER32 ref: 004A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004A3D5B
DrawMenuBar.USER32 ref: 004A3D63

Strings

0, xrefs: 004A3C54
F, xrefs: 004A3D4E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 61bf1a0c13cbfdcf9b5887dc7343f0fc2790829543ca24696400371479a97c1a
Instruction ID: 88367d0572a9587ccdce4249f6a151579d92679bdd64667a54bb18dfb3d73e06
Opcode Fuzzy Hash: 61bf1a0c13cbfdcf9b5887dc7343f0fc2790829543ca24696400371479a97c1a
Instruction Fuzzy Hash: 28417EB5A01209EFDB14CF64D884ADA7BB5FF5A351F14002AF946A7360E734AA10CF58

Function 004A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004A3C13

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8750fad242930c77f0ba0a5b7088109129fc0be0950115208b9d46647844f1c6
Instruction ID: 9b9b1362c474cf40edbbecfd28caa1ac6b822cdd5dbcf18cdb8d3d0f30ad3c48
Opcode Fuzzy Hash: 8750fad242930c77f0ba0a5b7088109129fc0be0950115208b9d46647844f1c6
Instruction Fuzzy Hash: 04619F75900248AFDB10DF64CC81EEE77F8EB19314F1000AAFA05A73A2D774AE45DB54

Function 00442C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442C94

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 00442CA0
_free.LIBCMT ref: 00442CAB
_free.LIBCMT ref: 00442CB6
_free.LIBCMT ref: 00442CC1
_free.LIBCMT ref: 00442CCC
_free.LIBCMT ref: 00442CD7
_free.LIBCMT ref: 00442CE2
_free.LIBCMT ref: 00442CED
_free.LIBCMT ref: 00442CFB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: baeddbe0655e94e118552a65794846ef528a4f51d5828953fe4ae3143878e0bf
Instruction ID: c4d3835c6e39c14024aa1b946a06c50d845e7d2803cfcb573c61ee3650419366
Opcode Fuzzy Hash: baeddbe0655e94e118552a65794846ef528a4f51d5828953fe4ae3143878e0bf
Instruction Fuzzy Hash: 6411FEB5200108BFEB02EF56DA42CDD3B65FF05354F81449AF9485F232D675EE509B54

Function 00415BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00415C7A

Part of subcall function 00415D0A: GetClientRect.USER32(?,?), ref: 00415D30
Part of subcall function 00415D0A: GetWindowRect.USER32(?,?), ref: 00415D71
Part of subcall function 00415D0A: ScreenToClient.USER32(?,?), ref: 00415D99

GetDC.USER32 ref: 004546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00454708
SelectObject.GDI32(00000000,00000000), ref: 00454716
SelectObject.GDI32(00000000,00000000), ref: 0045472B
ReleaseDC.USER32(?,00000000), ref: 00454733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004547C4

Strings

U, xrefs: 00454693

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 35b70a7b7996833853d03c08335a8f43a9e06e71ff8c86c7ce4ac674f8b758aa
Instruction ID: 887fb8666af04f3ee60c595cc3ab95fc0868f9ada7a6041cbaf17a9e9da7969d
Opcode Fuzzy Hash: 35b70a7b7996833853d03c08335a8f43a9e06e71ff8c86c7ce4ac674f8b758aa
Instruction Fuzzy Hash: E171DE34400205DFCF218F64C984AEA3BB1FF8A32AF14426BED555E267D7388886DF58

Function 0048359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004835E4

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

LoadStringW.USER32(004E2390,?,00000FFF,?), ref: 0048360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00483724
Error: , xrefs: 004836EF
^ ERROR, xrefs: 004836C9
"%s" (%d) : ==> %s:, xrefs: 00483742
Line %d (File "%s"):, xrefs: 0048366B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6829c1961d2d7a976b95a72771c5281948a3b144cbd59cc3e9a777d504f96c59
Instruction ID: 4c2bca62849440ba06ab7cf45b7e745419e897b1c1e1e03a16b17439adab886e
Opcode Fuzzy Hash: 6829c1961d2d7a976b95a72771c5281948a3b144cbd59cc3e9a777d504f96c59
Instruction Fuzzy Hash: E5517071800209AADF14EFA1CC92EEEBB35AF04745F14452BF505721A1EB386AD9DF68

Function 0048C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0048C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0048C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0048C2CA
GetLastError.KERNEL32 ref: 0048C322
SetEvent.KERNEL32(?), ref: 0048C336
InternetCloseHandle.WININET(00000000), ref: 0048C341

Strings

, xrefs: 0048C2BB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 74b0636c93e256869bad559c5974195124dd36c9636d8b7d25542fd185a0c4db
Instruction ID: dcca571e5fa73f26138b9223ec9660c497b26d26be665a6c4ee5f2301c3f81ee
Opcode Fuzzy Hash: 74b0636c93e256869bad559c5974195124dd36c9636d8b7d25542fd185a0c4db
Instruction Fuzzy Hash: 6A316F71500604AFD721AF6598C4AAF7BFCEB49744B10892FF84692240DB38DD059B79

Function 0047989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00453AAF,?,?,Bad directive syntax error,004ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004798BC
LoadStringW.USER32(00000000,?,00453AAF,?), ref: 004798C3

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00479987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 004798F1
Error: , xrefs: 00479955
., xrefs: 0047996D
Line %d:, xrefs: 00479912
Line %d (File "%s"):, xrefs: 0047992D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: fa06d9b2b9ad3f3bd0e7f2c0e597206f5bd85a688edb2dc1f3b8ae400d4d489b
Instruction ID: 5e73d1bf454e12fe2114cdb077473c7e2ec109ca6bea76091fc6e4f3dc4d1393
Opcode Fuzzy Hash: fa06d9b2b9ad3f3bd0e7f2c0e597206f5bd85a688edb2dc1f3b8ae400d4d489b
Instruction Fuzzy Hash: BA21B47190021EBBDF11AF90CC16EEE7775FF14704F04442BF915621A2EB39AA68DB58

Function 0047209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0047214D

Strings

largeicons, xrefs: 004720E1
details, xrefs: 004720FB
SHELLDLL_DefView, xrefs: 004720CC
list, xrefs: 0047212F
smallicons, xrefs: 00472115

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 480a8efdf70b991f5fc79afe6b89803628bf79b93d37c7c71f2b55f650fe3af9
Instruction ID: 611cbf69ee29b9cdf684a2aa189dc85727efe1fc5bc048144b682bf17ae3cdaf
Opcode Fuzzy Hash: 480a8efdf70b991f5fc79afe6b89803628bf79b93d37c7c71f2b55f650fe3af9
Instruction Fuzzy Hash: 2B110676688707B9FA017621DD16DE7379CEB09328F60902BFB08B51D2EEAD7802565C

Function 0044CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0044CEB7
_free.LIBCMT ref: 0044CF22
_free.LIBCMT ref: 0044CF48
_free.LIBCMT ref: 0044CF71
_free.LIBCMT ref: 0044CFA9
_free.LIBCMT ref: 0044CFDA
_free.LIBCMT ref: 0044D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044D09C
_free.LIBCMT ref: 0044D0B5

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0f6d594d9b792e19d64dba72ca68b34b4ada623c32d40a52b9590f8e37912daa
Instruction ID: 750c0a0e7a1f753b1cb60f520546c754aa0ddf1d1d4dabc90750fc9e587da608
Opcode Fuzzy Hash: 0f6d594d9b792e19d64dba72ca68b34b4ada623c32d40a52b9590f8e37912daa
Instruction Fuzzy Hash: 4D6138B1A05200ABFB21AFB59CC1A6A7B95EF05314F08416FF9409B3C2DB7D9D45876C

Function 004A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004A5186
ShowWindow.USER32(?,00000000), ref: 004A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004A51D1

Part of subcall function 004A6FBA: DeleteObject.GDI32(00000000), ref: 004A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 004A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 004A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 004A5296

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 4dae0dfdfd476c2aa48fa25c51bbe57a1ae172c8eb4568f9b9190ad095340892
Instruction ID: 69ba058bb8be9b76220c75f41f7b70ee9f71c54bdad541af24d19ba7e72f6293
Opcode Fuzzy Hash: 4dae0dfdfd476c2aa48fa25c51bbe57a1ae172c8eb4568f9b9190ad095340892
Instruction Fuzzy Hash: 8951C131A40A08FEEF309F25DD45BE93B61EB26324F144057F6149A2E1C779A980DF49

Function 00428B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00466890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00428874,00000000,00000000,00000000,000000FF,00000000), ref: 00466901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0046691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00428874,00000000,00000000,00000000,000000FF,00000000), ref: 0046692D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: fa81703eb3a7b5ad67dffe79f50e50ce3408a4c78cab3e762331d8884ff2e4a0
Instruction ID: bd1738f8097e962daaaf6b2cb2eb0be89b6a46b8e53ad3f6cd96e8920b93ee01
Opcode Fuzzy Hash: fa81703eb3a7b5ad67dffe79f50e50ce3408a4c78cab3e762331d8884ff2e4a0
Instruction Fuzzy Hash: 9F518BB0601209EFDB20CF25DC95FAA7BB5FB48750F10452EF902972A0EB78E951DB58

Function 0048C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0048C182
GetLastError.KERNEL32 ref: 0048C195
SetEvent.KERNEL32(?), ref: 0048C1A9

Part of subcall function 0048C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0048C272
Part of subcall function 0048C253: GetLastError.KERNEL32 ref: 0048C322
Part of subcall function 0048C253: SetEvent.KERNEL32(?), ref: 0048C336
Part of subcall function 0048C253: InternetCloseHandle.WININET(00000000), ref: 0048C341

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b216da24480443753077756372bf9f2dc18e2b4ffd6eb7504d4b1429d7cdc380
Instruction ID: b03f585cd010f89a7b7b3a1440e4f4ff447f781d7afdfc5ace4c113a7b38417c
Opcode Fuzzy Hash: b216da24480443753077756372bf9f2dc18e2b4ffd6eb7504d4b1429d7cdc380
Instruction Fuzzy Hash: 40317071900601AFDB21AFA5DC84A6BBBE9FF15300B04496EF95682650DB39E8149FB8

Function 004725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00472601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00472605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0047260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00472623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00472627

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cc795c06aee6b687c30220c1268515723e3d365f9cec9b3b9c9fbbb93e9b046d
Instruction ID: 84133b2d2f81a885ff98e46ed22a8c0740ef85e32ad420e8fde034ecc074791b
Opcode Fuzzy Hash: cc795c06aee6b687c30220c1268515723e3d365f9cec9b3b9c9fbbb93e9b046d
Instruction Fuzzy Hash: 7C01D471390210BBFB106B699CCAF993F59DB4EB12F104016F318AE0D1C9E224459E6E

Function 00471803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00471449,?,?,00000000), ref: 0047180C
HeapAlloc.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 00471813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00471449,?,?,00000000), ref: 00471828
GetCurrentProcess.KERNEL32(?,00000000,?,00471449,?,?,00000000), ref: 00471830
DuplicateHandle.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 00471833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00471449,?,?,00000000), ref: 00471843
GetCurrentProcess.KERNEL32(00471449,00000000,?,00471449,?,?,00000000), ref: 0047184B
DuplicateHandle.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 0047184E
CreateThread.KERNEL32(00000000,00000000,00471874,00000000,00000000,00000000), ref: 00471868

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 99b6ec243ee29bfd6e9bdd53b6a3671cc3cdae3326ceb848c7fb3a9835a12599
Instruction ID: bfcffbb60fd692dca6b937531f55aaf4c7be63ec40b69a2cd0da393570e40acd
Opcode Fuzzy Hash: 99b6ec243ee29bfd6e9bdd53b6a3671cc3cdae3326ceb848c7fb3a9835a12599
Instruction Fuzzy Hash: 4101ACB5340304BFE650ABA5DC89F573BACEB8AB11F014421FA05DB1A1DA749C008F24

Function 0049A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0047D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0047D501
Part of subcall function 0047D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0047D50F
Part of subcall function 0047D4DC: CloseHandle.KERNEL32(00000000), ref: 0047D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0049A16D
GetLastError.KERNEL32 ref: 0049A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0049A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0049A268
GetLastError.KERNEL32(00000000), ref: 0049A273
CloseHandle.KERNEL32(00000000), ref: 0049A2C4

Strings

SeDebugPrivilege, xrefs: 0049A18F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 562f8f691dd63b23c87d6ea90d1282525bd97f5838dee050914e66114e600629
Instruction ID: 36f2df698d255feddc6e8a26eca3dc0c4ee3e7c4f17fa9341202c8a72a231482
Opcode Fuzzy Hash: 562f8f691dd63b23c87d6ea90d1282525bd97f5838dee050914e66114e600629
Instruction Fuzzy Hash: B9616030204241AFDB10DF15C495F56BBE1AF44318F1484AEE46A4B7A3C77AED45CBDA

Function 004A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004A3954
_wcslen.LIBCMT ref: 004A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004A39F4

Strings

SysListView32, xrefs: 004A38F7

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e8de5c6cb76dbd63778f93a435e166ace9dae01d8fa2b12ffa6c3295429251fc
Instruction ID: ccd2430a9be2a533bf818e9775e89bebad9ccd98701324f406f60594f99308b5
Opcode Fuzzy Hash: e8de5c6cb76dbd63778f93a435e166ace9dae01d8fa2b12ffa6c3295429251fc
Instruction Fuzzy Hash: D941C571A00218ABEB21DF64CC45FEB7BA9EF19354F10012BF944E7291E7799D84CB98

Function 0047BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0047BCFD
IsMenu.USER32(00000000), ref: 0047BD1D
CreatePopupMenu.USER32 ref: 0047BD53
GetMenuItemCount.USER32(018E4A58), ref: 0047BDA4
InsertMenuItemW.USER32(018E4A58,?,00000001,00000030), ref: 0047BDCC

Strings

2, xrefs: 0047BD37
0, xrefs: 0047BCA8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 45650f18d7a7bbd6b64570c21c9fccb71755610dcfcb28475d05258f060b191a
Instruction ID: 06c1102c7ce32793cf09bb3edbd64f06b4a9908b57febe5af0d55aa46d925c25
Opcode Fuzzy Hash: 45650f18d7a7bbd6b64570c21c9fccb71755610dcfcb28475d05258f060b191a
Instruction Fuzzy Hash: 5A51AD70A00205AFDB21CFA9C8C4BEEBBF5EF45314F14C12AE45997390E7789945CB99

Function 00432D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00432D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00432D53
_ValidateLocalCookies.LIBCMT ref: 00432DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00432E0C
_ValidateLocalCookies.LIBCMT ref: 00432E61

Strings

csm, xrefs: 00432DF6
&HC, xrefs: 00432DFE, 00432E07, 00432E18

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HC$csm
API String ID: 1170836740-3574481041
Opcode ID: b052d583835687b0c5e66397fabd623dd367a59914160ab0b7e6a30e5a391072
Instruction ID: 61b2e7129eb97acbeca5891d267d3487f72a20dd187edbdd3b69602293c7d7d0
Opcode Fuzzy Hash: b052d583835687b0c5e66397fabd623dd367a59914160ab0b7e6a30e5a391072
Instruction Fuzzy Hash: 0741D834A00209EBCF10DF69C945A9FBBB5BF48329F14915BE8146B392D779DA01CBD4

Function 0047C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0047C913

Strings

blank, xrefs: 0047C895
info, xrefs: 0047C8B4
warning, xrefs: 0047C8FC
question, xrefs: 0047C8CC
stop, xrefs: 0047C8E4

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: da685e691a2a880c087cbae40ceeebdd519494af2af04ae57b12b6c89776ffce
Instruction ID: 21ff85fea1f5f2ea39103eacf143a7c1e73e2a95a43c3f2567d7c8d498d5142b
Opcode Fuzzy Hash: da685e691a2a880c087cbae40ceeebdd519494af2af04ae57b12b6c89776ffce
Instruction Fuzzy Hash: 12112BB178930ABAA7006B149CC2DEB679CDF15319B21402FF608A6382D76C6D0052AD

Function 0047ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0047ED2A
_wcslen.LIBCMT ref: 0047ED3B
_wcslen.LIBCMT ref: 0047ED79
_wcslen.LIBCMT ref: 0047EDAF
_wcslen.LIBCMT ref: 0047EDDF
_wcslen.LIBCMT ref: 0047EDEF
_wcslen.LIBCMT ref: 0047EE2B
_wcslen.LIBCMT ref: 0047EE5A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f9c3f9204ef27489f36bcdff7212644f5214deb91c4c0603e7f10be9e5b25576
Instruction ID: 1734efafe1a5bf421d02fbefdca4c9ddb8c3307d0966683f1d77b2dafadc82fe
Opcode Fuzzy Hash: f9c3f9204ef27489f36bcdff7212644f5214deb91c4c0603e7f10be9e5b25576
Instruction Fuzzy Hash: 9241B465C1011875DB11EBB6888AACF77A8AF4D310F0095A7F518E3161FB3CE255C3AE

Function 0042F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0042F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0046F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0046F454

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2aa2447e6f49d28833af13ef0f09c1b97ba9820ccf9211e2db444395c33b0ed6
Instruction ID: f4f2621174da2dbcae1f2d9782b7a0e71618c96fab850a6fc96cd5e006374c0e
Opcode Fuzzy Hash: 2aa2447e6f49d28833af13ef0f09c1b97ba9820ccf9211e2db444395c33b0ed6
Instruction Fuzzy Hash: 97411BB1708690BAC7348B29B8C872B7BB1AB56314FD4403FE08756761D63D98C9CB1E

Function 004A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004A2D1B
GetDC.USER32(00000000), ref: 004A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004A2DE1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7316aca04863058deed6b42e3504aef6f9b511fd35c6fe0b7ad1bdef8ef33d5e
Instruction ID: d856e670a8b8925bfa9cab915092b040a5f56776acca71eca82ad4298affb0a6
Opcode Fuzzy Hash: 7316aca04863058deed6b42e3504aef6f9b511fd35c6fe0b7ad1bdef8ef33d5e
Instruction Fuzzy Hash: 51318072201214BFEB518F54CC89FEB3FADEF1A755F044065FE089A291C6B59C51CBA8

Function 00475622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00475637
_memcmp.LIBVCRUNTIME ref: 00475659
_memcmp.LIBVCRUNTIME ref: 00475671
_memcmp.LIBVCRUNTIME ref: 00475684
_memcmp.LIBVCRUNTIME ref: 0047569E
_memcmp.LIBVCRUNTIME ref: 004756B1
_memcmp.LIBVCRUNTIME ref: 004756C9
_memcmp.LIBVCRUNTIME ref: 004756E4

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f09c90ec28bd79cc54175b72e46c1bc452d5c0fa430c68cb4f18d814f5f72214
Instruction ID: 6aaefbd7a7b5e915b4a7130ec7be96634651264fc8830a9f4e49c14756843ba7
Opcode Fuzzy Hash: f09c90ec28bd79cc54175b72e46c1bc452d5c0fa430c68cb4f18d814f5f72214
Instruction Fuzzy Hash: 5921FC61640A0977E21855128D82FFB335CAF35398F548027FD0C9EA41F7ADEE1581ED

Function 00494FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00495007
NULL Pointer assignment, xrefs: 0049502E, 00495383

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b238fd80dd0d7ae740eb219830b6c307ec66457dcd0a67b74291a3a14f347149
Instruction ID: 8dec7c5331494979e5d36cd6c230bcdb9564d4360288d4de5feeed0ef83ed8b7
Opcode Fuzzy Hash: b238fd80dd0d7ae740eb219830b6c307ec66457dcd0a67b74291a3a14f347149
Instruction Fuzzy Hash: 7CD1B171A0060A9FDF11CFA8C881BAEBBB5BF48344F24807AE915AB381E774DD45CB54

Function 00451522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00451651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004517FB,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004516FB

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00451777
__freea.LIBCMT ref: 004517A2
__freea.LIBCMT ref: 004517AE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: eb0e1b495fce95ff45c970d785a36241d9353bc7e2e12e693997e5d6c088e61a
Instruction ID: 2d9fc0e671a93cb11dd0f2ad9e35df09db9d30e9d6593efe0ad0e6388275eadb
Opcode Fuzzy Hash: eb0e1b495fce95ff45c970d785a36241d9353bc7e2e12e693997e5d6c088e61a
Instruction Fuzzy Hash: 5D919571E00219ABDB208E74C881FEF7BA59F49715F14455BEC01E7262E739DC49CB68

Function 00494523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00494648
VariantInit.OLEAUT32(?), ref: 00494749
VariantClear.OLEAUT32(?), ref: 00494753
VariantClear.OLEAUT32(?), ref: 004947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0049472C
Null Object assignment in FOR..IN loop, xrefs: 004945D8, 00494706, 004947BE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 2ebac426175ff9fb6e9da2ae0e80cb907101ac896897a2ad3f77000a6464efdc
Instruction ID: 49d1327ca34a333b24b80c15ad50ea4de85957ccdb0ea6a9acfa31d50e2c941a
Opcode Fuzzy Hash: 2ebac426175ff9fb6e9da2ae0e80cb907101ac896897a2ad3f77000a6464efdc
Instruction Fuzzy Hash: 23917671A00219ABDF24CF95C844FAF7BB8EF85714F10856AF505AB280D7789946CF64

Function 00481187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0048125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00481284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0048135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00481430

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: aee331f254702f38886dcb4d288015d2289387f05f7cd37a655d3462f6966ce3
Instruction ID: 64fc30596eb504eb7ab17840d15f4c53607af06c0435327a91be93ebc5de8b8f
Opcode Fuzzy Hash: aee331f254702f38886dcb4d288015d2289387f05f7cd37a655d3462f6966ce3
Instruction Fuzzy Hash: 29910371A002189FDB00EF95C884BBE77B9FF49715F10486BE901E72A1D77CA946CB98

Function 0042948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 56b786534807ed635d9a112595599399987c437eff24ff106a30e51f28f5438f
Instruction ID: 05ca2aec769e6b47f8c426d4addd1e26013a7838f5e39a7bcea2991a43360470
Opcode Fuzzy Hash: 56b786534807ed635d9a112595599399987c437eff24ff106a30e51f28f5438f
Instruction Fuzzy Hash: A1913971A04219EFCB10CFA9D884AEEBBB8FF49324F54405AE515B7251D3789D82CB64

Function 00493947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0049396B
CharUpperBuffW.USER32(?,?), ref: 00493A7A
_wcslen.LIBCMT ref: 00493A8A
VariantClear.OLEAUT32(?), ref: 00493C1F

Part of subcall function 00480CDF: VariantInit.OLEAUT32(00000000), ref: 00480D1F
Part of subcall function 00480CDF: VariantCopy.OLEAUT32(?,?), ref: 00480D28
Part of subcall function 00480CDF: VariantClear.OLEAUT32(?), ref: 00480D34

Strings

AUTOIT.ERROR, xrefs: 00493A80, 00493A85
Incorrect Parameter format, xrefs: 004939A6, 00493BA1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 88982912e204bbfa6657a811737a40fffd51642d03dd00ef088e26b1adb3d6da
Instruction ID: 7abff49528f9ca478c0ed716ea95a9677b8116d4d684bb9f2884dc78bc125727
Opcode Fuzzy Hash: 88982912e204bbfa6657a811737a40fffd51642d03dd00ef088e26b1adb3d6da
Instruction Fuzzy Hash: C6918F756083019FCB00DF25C49096ABBE5FF89319F14886EF88997351DB38EE45CB9A

Function 00494BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0047000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?,?,0047035E), ref: 0047002B
Part of subcall function 0047000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470046
Part of subcall function 0047000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470054
Part of subcall function 0047000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?), ref: 00470064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00494C51
_wcslen.LIBCMT ref: 00494D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00494DCF
CoTaskMemFree.OLE32(?), ref: 00494DDA

Strings

NULL Pointer assignment, xrefs: 00494E23, 00494E52

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 034c0e50423b88157db3d55f6448d277a0f12507a72737709af303e6f75eee3d
Instruction ID: fb1e49d811127fe42ed8b59ade19fa264a589f5667d7a5bcdfb86709c6736fd3
Opcode Fuzzy Hash: 034c0e50423b88157db3d55f6448d277a0f12507a72737709af303e6f75eee3d
Instruction Fuzzy Hash: F6912871D0021DAFDF14DFA5C890EEEBBB8BF48314F10856AE919A7241DB389A45CF64

Function 004A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004A2183
GetMenuItemCount.USER32(00000000), ref: 004A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004A21DD
_wcslen.LIBCMT ref: 004A2213
GetMenuItemID.USER32(?,?), ref: 004A224D
GetSubMenu.USER32(?,?), ref: 004A225B

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004A22E3

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: f3f8601e0741e47e78fee9b41a610745c3570be8510e40c853e7118103b45cf3
Instruction ID: 3ef26ecbc2bf3be259ad124bdf7b76e12a09e14050462215450b4c8d5e6bd8a2
Opcode Fuzzy Hash: f3f8601e0741e47e78fee9b41a610745c3570be8510e40c853e7118103b45cf3
Instruction Fuzzy Hash: A271E476E00205AFCB00DF69C981AAEB7F1EF59314F1084AAE816EB341D778ED419B94

Function 0047AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0047AEF9
GetKeyboardState.USER32(?), ref: 0047AF0E
SetKeyboardState.USER32(?), ref: 0047AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0047AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0047AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0047AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0047B020

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 40ee27a15ad657b69e9c20263c7dba566f63bcabc90887c08775352c3cadb2c5
Instruction ID: d7e5f11b83c820724254a0923878970e609ff0f53a82abb492559a88144b401a
Opcode Fuzzy Hash: 40ee27a15ad657b69e9c20263c7dba566f63bcabc90887c08775352c3cadb2c5
Instruction Fuzzy Hash: A251C1A06087D53DFB3682348849BFB7EA99B46304F08C58AE1DD955C2C39CA894D79A

Function 0047ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0047AD19
GetKeyboardState.USER32(?), ref: 0047AD2E
SetKeyboardState.USER32(?), ref: 0047AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0047ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0047ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0047AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0047AE38

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6c3b504252f4563d54bb1c869af65293ee7305c5de8bb617e74c4d8021c1d268
Instruction ID: 0bbb919b1a8013fc562e5559fa36ea9a63a4bb6e9823816ce019a46bd98018ea
Opcode Fuzzy Hash: 6c3b504252f4563d54bb1c869af65293ee7305c5de8bb617e74c4d8021c1d268
Instruction Fuzzy Hash: A951E6A15447D13DFB3283248C45BFF7E995B86300F08C88AE0DD469C2C298ECA8D75A

Function 0044542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00453CD6,?,?,?,?,?,?,?,?,00445BA3,?,?,00453CD6,?,?), ref: 00445470
__fassign.LIBCMT ref: 004454EB
__fassign.LIBCMT ref: 00445506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00453CD6,00000005,00000000,00000000), ref: 0044552C
WriteFile.KERNEL32(?,00453CD6,00000000,00445BA3,00000000,?,?,?,?,?,?,?,?,?,00445BA3,?), ref: 0044554B
WriteFile.KERNEL32(?,?,00000001,00445BA3,00000000,?,?,?,?,?,?,?,?,?,00445BA3,?), ref: 00445584

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7be974b27e3db8dce4288a28fe535950d8195cfebf89370f4fd5ac15572036ee
Instruction ID: 3a8be8e9041603259f37193ebde6c42580a139486c5335926ac659f1848a661e
Opcode Fuzzy Hash: 7be974b27e3db8dce4288a28fe535950d8195cfebf89370f4fd5ac15572036ee
Instruction Fuzzy Hash: 3751E770A00649AFEF11CFA8D885AEEBBF5EF09300F14412BF555E7292D7749A41CB68

Function 004910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
Part of subcall function 0049304E: _wcslen.LIBCMT ref: 0049309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00491112
WSAGetLastError.WSOCK32 ref: 00491121
WSAGetLastError.WSOCK32 ref: 004911C9
closesocket.WSOCK32(00000000), ref: 004911F9

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b7f5be6981453c93e9ec974bea7938a17b159b6a8a173b8e965b638d6c3ddd39
Instruction ID: 9765d20cc8d782846dd36171b63127cfe19ab6084df616b64c42d05d81aaa42c
Opcode Fuzzy Hash: b7f5be6981453c93e9ec974bea7938a17b159b6a8a173b8e965b638d6c3ddd39
Instruction Fuzzy Hash: 2341F731600105AFDB109F14C885BAABFE9FF45358F14806AF9159B3A1C778ED81CBE9

Function 0047CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0047CF22,?), ref: 0047DDFD

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0047CF22,?), ref: 0047DE16

lstrcmpiW.KERNEL32(?,?), ref: 0047CF45
MoveFileW.KERNEL32(?,?), ref: 0047CF7F
_wcslen.LIBCMT ref: 0047D005
_wcslen.LIBCMT ref: 0047D01B
SHFileOperationW.SHELL32(?), ref: 0047D061

Strings

\*.*, xrefs: 0047CFF3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 62f6b3a1e6a5787324d0ee43f90a1785a2ab35238f2a3adaca4e7c80b1e0c04d
Instruction ID: 0a0c3ffc89610867f98d1ace412faacb9624685888a867e35375af47558ba2bc
Opcode Fuzzy Hash: 62f6b3a1e6a5787324d0ee43f90a1785a2ab35238f2a3adaca4e7c80b1e0c04d
Instruction Fuzzy Hash: 8F415771D451185EDF12EFA5C9C1BDE77B8AF09384F1040EBE509EB141EA38A644CB58

Function 004A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 004A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 004A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 004A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 004A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A2F0B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: afcbe08b7f12ab77c33aea948100070413457703b78f4eda8510633d1e4fc66f
Instruction ID: 09217e66e949798d80aafdba6fd8cf359fa017d9f37003bb1065f243eb873d51
Opcode Fuzzy Hash: afcbe08b7f12ab77c33aea948100070413457703b78f4eda8510633d1e4fc66f
Instruction Fuzzy Hash: 9131F430645150AFDB21CF5CDDC4F6637E1EB6A710F150166F9048F2B2CBB5A880EB49

Function 00477726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0047778F
SysAllocString.OLEAUT32(00000000), ref: 00477792
SysAllocString.OLEAUT32(?), ref: 004777B0
SysFreeString.OLEAUT32(?), ref: 004777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004777DE
SysAllocString.OLEAUT32(?), ref: 004777EC

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e6a0c0eb23b43237f02c289bba32fe5ef36be76d90ecdb7aa812a8b03671a11e
Instruction ID: 1907a6c854d28df787dbcbc206c865ff6f7debe4ef7c476506690dd4b1d39068
Opcode Fuzzy Hash: e6a0c0eb23b43237f02c289bba32fe5ef36be76d90ecdb7aa812a8b03671a11e
Instruction Fuzzy Hash: 6221B276604219AFDB14DFA8DC88CFB77ECEB093647408436F908DB250D674EC468B68

Function 004777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477868
SysAllocString.OLEAUT32(00000000), ref: 0047786B
SysAllocString.OLEAUT32 ref: 0047788C
SysFreeString.OLEAUT32 ref: 00477895
StringFromGUID2.OLE32(?,?,00000028), ref: 004778AF
SysAllocString.OLEAUT32(?), ref: 004778BD

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 11d4671478df9d5c1c740a4ccf61f69d67fdd52e40f7201c801f33d2b5096ed4
Instruction ID: 7b05e49c742221ac8033265a869f9c6274cf91dd368ec5728a39e532596ed145
Opcode Fuzzy Hash: 11d4671478df9d5c1c740a4ccf61f69d67fdd52e40f7201c801f33d2b5096ed4
Instruction Fuzzy Hash: 6D216231604114AFDB10AFA8DC88DBB7BECEB097607518126F919CB2A1D678DC45CB6D

Function 004804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0048052E

Strings

nul, xrefs: 00480567

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 75f099e1712beaf22993d6797736cfda6e356f7bed940b78d76a406d5909e4f5
Instruction ID: 9a48228d481c7bd7bb189645c54176b79ad7b283bab6f5613cb5bd11d2649014
Opcode Fuzzy Hash: 75f099e1712beaf22993d6797736cfda6e356f7bed940b78d76a406d5909e4f5
Instruction Fuzzy Hash: 95216D75610305AFDB60EF29DC44A9E7BE4AF45724F204E2AF8A1D62E0D7749948CF38

Function 004805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00480601

Strings

nul, xrefs: 00480639

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b2f9696a9f57c13ff0eea99611995276ab9cdec46da63bd1386f26d5c8e4c062
Instruction ID: d726e9dae3363738ef992d0155cfbe510bd649dfe070012dba31d1431b556c8d
Opcode Fuzzy Hash: b2f9696a9f57c13ff0eea99611995276ab9cdec46da63bd1386f26d5c8e4c062
Instruction Fuzzy Hash: 39219135510305AFDB60AF698C44A5F77E4AF85720F200F2AE8A1E33E0E7749864CB28

Function 004A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
Part of subcall function 0041600E: GetStockObject.GDI32(00000011), ref: 00416060
Part of subcall function 0041600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004A4145

Strings

Msctls_Progress32, xrefs: 004A40E3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: eb2e48e241f30cabd6ad8765c96a960efee5f0007c069f28fc0c94112b3dec4a
Instruction ID: c9d7ba6ed7162725d3ced616448d1b5bbf84ed62faece9bae52646308c077414
Opcode Fuzzy Hash: eb2e48e241f30cabd6ad8765c96a960efee5f0007c069f28fc0c94112b3dec4a
Instruction Fuzzy Hash: 3311E6B11401197EEF108F64CC85EEB7F5DEF59398F004111B618A6150C776DC61DBA8

Function 0044D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044D7A3: _free.LIBCMT ref: 0044D7CC

_free.LIBCMT ref: 0044D82D

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044D838
_free.LIBCMT ref: 0044D843
_free.LIBCMT ref: 0044D897
_free.LIBCMT ref: 0044D8A2
_free.LIBCMT ref: 0044D8AD
_free.LIBCMT ref: 0044D8B8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c377767b27301cc4aad4fa5b422dd55e7ddbb0a192f5bf0fcbcedc779b9b7479
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 671121B1A40B04ABF921BFB2CC47FCB7BDC6F04704F80482EB299A6692DA7DB5054654

Function 0047DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0047DA74
LoadStringW.USER32(00000000), ref: 0047DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0047DA91
LoadStringW.USER32(00000000), ref: 0047DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0047DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0047DAB9

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9ae9e66c017f939920714558eb0fecf04ebc3d6516ba418c19b3f3a1a321dd28
Instruction ID: a1da462aa9e4c506d35bab5c7eaf66fe5d3b49265c8d1cd150d4c48e4bf2559b
Opcode Fuzzy Hash: 9ae9e66c017f939920714558eb0fecf04ebc3d6516ba418c19b3f3a1a321dd28
Instruction Fuzzy Hash: 1B0186F69002087FE750DBA09DC9EE7376CEB09301F4044A6F70AE2041EA749E844F78

Function 0048096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(018DE348,018DE348), ref: 0048097B
EnterCriticalSection.KERNEL32(018DE328,00000000), ref: 0048098D
TerminateThread.KERNEL32(?,000001F6), ref: 0048099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004809A9
CloseHandle.KERNEL32(?), ref: 004809B8
InterlockedExchange.KERNEL32(018DE348,000001F6), ref: 004809C8
LeaveCriticalSection.KERNEL32(018DE328), ref: 004809CF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 90215555e3ef42918418173c8ab6f3141c7f7e97d37f10a1312a54bc034fafd1
Instruction ID: 79c4584fa51b4a0e3771378881f3d9c5bd24afcb0b8ee26a218ab75ad849665e
Opcode Fuzzy Hash: 90215555e3ef42918418173c8ab6f3141c7f7e97d37f10a1312a54bc034fafd1
Instruction Fuzzy Hash: EEF03172542502BBD7815F94EECCBDA7F35FF02702F401026F101508A0CB749465CF98

Function 00491C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00491DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00491DE1
WSAGetLastError.WSOCK32 ref: 00491DF2
htons.WSOCK32(?,?,?,?,?), ref: 00491EDB
inet_ntoa.WSOCK32(?), ref: 00491E8C

Part of subcall function 004739E8: _strlen.LIBCMT ref: 004739F2

Part of subcall function 00493224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0048EC0C), ref: 00493240

_strlen.LIBCMT ref: 00491F35

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 33213f29a5a3a6eff9799c38623d9d5dd3531a18cbb4e900b3e423c5e6e49773
Instruction ID: 3f16cbace0477e478eccabfe3b91f0a5ccb8d7982bd02e61bfee587c1a98ea02
Opcode Fuzzy Hash: 33213f29a5a3a6eff9799c38623d9d5dd3531a18cbb4e900b3e423c5e6e49773
Instruction Fuzzy Hash: 14B1F231204301AFC724EF25C885E6A7BE5AF84318F54856EF4564B3E2DB39ED42CB95

Function 00415D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00415D30
GetWindowRect.USER32(?,?), ref: 00415D71
ScreenToClient.USER32(?,?), ref: 00415D99
GetClientRect.USER32(?,?), ref: 00415ED7
GetWindowRect.USER32(?,?), ref: 00415EF8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9a7bbd2ee61cc26cc93447fe43f975dc4a29f2f7d440b0fa1e3f85092c77c0b6
Instruction ID: 58ba3854c76b15d91ee6a1e7bd697758bdfb85b9c9fc66b20e6df40114c91a6d
Opcode Fuzzy Hash: 9a7bbd2ee61cc26cc93447fe43f975dc4a29f2f7d440b0fa1e3f85092c77c0b6
Instruction Fuzzy Hash: B7B17B78A0074ADBDB10DFA9C4807EEB7F1FF94310F14841AE8A9D7250D738AA91DB59

Function 004401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004400D6
__allrem.LIBCMT ref: 004400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044010B
__allrem.LIBCMT ref: 00440122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00440140

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a7bc3b624c1f6bf048d3cb5a78ab0417a2618118eb77044d913ecf2298be7943
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 3681F572A007069BF720AE2ACC41B6B73E8AF55328F24453FF951D7781E779D9048B98

Function 004461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004382D9,004382D9,?,?,?,0044644F,00000001,00000001,8BE85006), ref: 00446258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044644F,00000001,00000001,8BE85006,?,?,?), ref: 004462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004463D8
__freea.LIBCMT ref: 004463E5

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

__freea.LIBCMT ref: 004463EE
__freea.LIBCMT ref: 00446413

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 32a539a2e8659de3411d454d0271453b1558fa1f381ee0f743e755c2849ab4b9
Instruction ID: 08792b7ba3183a3762053034266875ea390e27941e422d4b1903377c80dd72d7
Opcode Fuzzy Hash: 32a539a2e8659de3411d454d0271453b1558fa1f381ee0f743e755c2849ab4b9
Instruction Fuzzy Hash: 48512472600256ABFB259F64CC81EAF7BA9EF46710F16426BFC05D6240DB3CDC40C66A

Function 0049BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049BD25
RegCloseKey.ADVAPI32(00000000), ref: 0049BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0049BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0049BDF3
RegCloseKey.ADVAPI32(?), ref: 0049BDFF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 282e87c4c6d16a977ea2010c812f26b99a3bfa845eeffb0d6777e52a9b0527dc
Instruction ID: be57c2d582a13b8435e86927679a46912f523a4374cf047bf12102d224957fb4
Opcode Fuzzy Hash: 282e87c4c6d16a977ea2010c812f26b99a3bfa845eeffb0d6777e52a9b0527dc
Instruction Fuzzy Hash: 8381DD30208200AFCB14DF20D884E6ABBE5FF84308F14896EF4594B2A2DB35ED45CB96

Function 0046F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0046F7B9
SysAllocString.OLEAUT32(00000001), ref: 0046F860
VariantCopy.OLEAUT32(0046FA64,00000000), ref: 0046F889
VariantClear.OLEAUT32(0046FA64), ref: 0046F8AD
VariantCopy.OLEAUT32(0046FA64,00000000), ref: 0046F8B1
VariantClear.OLEAUT32(?), ref: 0046F8BB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f3b43f721847c897f411ed0f6ecbaa374eacf9d54d8791cddd8260a4e76c43be
Instruction ID: 39739ae8b2f115f53030ea3b63a812cd6793bdd48726e099c0b1ea6ef1983e18
Opcode Fuzzy Hash: f3b43f721847c897f411ed0f6ecbaa374eacf9d54d8791cddd8260a4e76c43be
Instruction Fuzzy Hash: EC51E971610310BACF10AB66E895B29B3A4EF45314F20447BE946DF291FB789C49C79F

Function 0048910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004894E5
_wcslen.LIBCMT ref: 00489506
_wcslen.LIBCMT ref: 0048952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00489585

Strings

X, xrefs: 00489412

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3f5e307eb190a977569e712c2f3c97e73f5ab95067c344a20d666be8f95ded1b
Instruction ID: f7a77bbc4ea995dcc8ce3c6660a8f1fb99c9f336fc6429c5337dcca31ac4c31c
Opcode Fuzzy Hash: 3f5e307eb190a977569e712c2f3c97e73f5ab95067c344a20d666be8f95ded1b
Instruction Fuzzy Hash: 29E1B6315047009FD714EF25C881AAEB7E1BF85318F08896EF8999B391DB34DD45CB99

Function 0042920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

BeginPaint.USER32(?,?,?), ref: 00429241
GetWindowRect.USER32(?,?), ref: 004292A5
ScreenToClient.USER32(?,?), ref: 004292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004292D3
EndPaint.USER32(?,?,?,?,?), ref: 00429321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004671EA

Part of subcall function 00429339: BeginPath.GDI32(00000000), ref: 00429357

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 72cad3d36e04ed09d64d74d7880cf55430a2b78e874b7f329a77fe2d10a71600
Instruction ID: 6034aaa4e55575bdf0aa3a0fa7d2e1413272dd3e658d1a97844b9e5c3fc0697a
Opcode Fuzzy Hash: 72cad3d36e04ed09d64d74d7880cf55430a2b78e874b7f329a77fe2d10a71600
Instruction Fuzzy Hash: 8141A170204210AFD710DF25DCC4FBA7BA8EF4A724F04066AF9548B2B2D7389C45DB6A

Function 004807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0048080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00480847
EnterCriticalSection.KERNEL32(?), ref: 00480863
LeaveCriticalSection.KERNEL32(?), ref: 004808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00480921

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: aa31434462335baa3911a1a2d7e8f17d93c60f78bdd1595adb4317bdadda0d1b
Instruction ID: 23546aaab79aade105d2a92eb994ff35ddc13e6bf4c3c2ecd305efc941eeff80
Opcode Fuzzy Hash: aa31434462335baa3911a1a2d7e8f17d93c60f78bdd1595adb4317bdadda0d1b
Instruction Fuzzy Hash: A0418B71A00205EBDF15AF54DC85AAA7778FF04304F5044BAED00AA297DB34DE68DBA8

Function 004A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0046F3AB,00000000,?,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 004A824C
EnableWindow.USER32(?,00000000), ref: 004A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004A82D1
ShowWindow.USER32(?,00000004), ref: 004A82E5
EnableWindow.USER32(?,00000001), ref: 004A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004A832F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b5dc2a36551623c901a162104724f3f712abc3599ad27a2d8ce1f4f42292cd60
Instruction ID: 4885e7855455d33656b92683b48d2dc7f613daad38af60fa9af44eff188f5a09
Opcode Fuzzy Hash: b5dc2a36551623c901a162104724f3f712abc3599ad27a2d8ce1f4f42292cd60
Instruction Fuzzy Hash: 5D418C75601644AFDF21CF15D8D9BA57BE0FB1B714F1801AAEA484F2B3CB36A841CB48

Function 00474C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00474C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00474CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00474CEA
_wcslen.LIBCMT ref: 00474D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00474D10
_wcsstr.LIBVCRUNTIME ref: 00474D1A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 15c91f6e0f99a0ebf2fd6f861934d6e580247feef5fe8302afb14faef0a2276d
Instruction ID: 41177ba51f8c10e7beae0a095ce292d86f1b12f90b2af649872799cd8941021b
Opcode Fuzzy Hash: 15c91f6e0f99a0ebf2fd6f861934d6e580247feef5fe8302afb14faef0a2276d
Instruction Fuzzy Hash: CC21FF712041107BE7259B35AD45EBB7F9CDF85750F11807FF809CA151DF69DC0196A4

Function 0048581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

_wcslen.LIBCMT ref: 0048587B
CoInitialize.OLE32(00000000), ref: 00485995
CoCreateInstance.OLE32(004AFCF8,00000000,00000001,004AFB68,?), ref: 004859AE
CoUninitialize.OLE32 ref: 004859CC

Strings

.lnk, xrefs: 00485876, 004858C1, 00485985

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 02f5273dad3f3599585c3c68b88e11e0e4d097715929a94f3ea41ee0264f97f7
Instruction ID: 1f241cee7ad67021fafe78226c8e2e1a15611d7450086d2c0c520245b3ce15a1
Opcode Fuzzy Hash: 02f5273dad3f3599585c3c68b88e11e0e4d097715929a94f3ea41ee0264f97f7
Instruction Fuzzy Hash: CFD144716046019FC714EF25C480A6EBBE2FF89718F14885EF8899B361D739EC45CB9A

Function 0047175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00470FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00470FCA
Part of subcall function 00470FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00470FD6
Part of subcall function 00470FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00470FE5
Part of subcall function 00470FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00470FEC
Part of subcall function 00470FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00471002

GetLengthSid.ADVAPI32(?,00000000,00471335), ref: 004717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004717BA
HeapAlloc.KERNEL32(00000000), ref: 004717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004717DA
GetProcessHeap.KERNEL32(00000000,00000000,00471335), ref: 004717EE
HeapFree.KERNEL32(00000000), ref: 004717F5

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 713752c9510535fc862bbcb1e67439a462adb0fa9335662028b91e6e4304af82
Instruction ID: 39f37885331c193b6c0bd358c72011c24584806004971767b5060491a8fac03d
Opcode Fuzzy Hash: 713752c9510535fc862bbcb1e67439a462adb0fa9335662028b91e6e4304af82
Instruction Fuzzy Hash: 8D118E71601205FFDB189FA8CC89BEFBBA9EB46355F10802AF44597220D739A944CF68

Function 004714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00471506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00471515
CloseHandle.KERNEL32(00000004), ref: 00471520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00471563

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0d09d6919cd0f005675ec209c84f50e23e76bc35b7ae51b336fd4fb1b33fd804
Instruction ID: 2f1594f55a7c8cb2294521a8c34156db9a8aa7a81e0dec2a4c56a20469988dd3
Opcode Fuzzy Hash: 0d09d6919cd0f005675ec209c84f50e23e76bc35b7ae51b336fd4fb1b33fd804
Instruction Fuzzy Hash: 9011267650020ABBDF118FA8DE89BDF7BA9EF49744F048025FA09A2160C3758E65DB64

Function 00433382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00433379,00432FE5), ref: 00433390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004333B7
SetLastError.KERNEL32(00000000,?,00433379,00432FE5), ref: 00433409

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 469ef4a56577646f07dc347ed40af544db939259e64b68e6f90b7660ca2eb47b
Instruction ID: ee87cfb10787d4b11fea635c66c6473afc9bf668c8963e6ba6ff383981fa8817
Opcode Fuzzy Hash: 469ef4a56577646f07dc347ed40af544db939259e64b68e6f90b7660ca2eb47b
Instruction Fuzzy Hash: 7A01F53220A312BEAA252FB66CC66576B54DB1D77BF20923FF810812F1EF194D01914C

Function 00442D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00445686,00453CD6,?,00000000,?,00445B6A,?,?,?,?,?,0043E6D1,?,004D8A48), ref: 00442D78
_free.LIBCMT ref: 00442DAB
_free.LIBCMT ref: 00442DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0043E6D1,?,004D8A48,00000010,00414F4A,?,?,00000000,00453CD6), ref: 00442DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0043E6D1,?,004D8A48,00000010,00414F4A,?,?,00000000,00453CD6), ref: 00442DEC
_abort.LIBCMT ref: 00442DF2

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 87b26909f72037bad5c5d086486b1020b940d93f18a23cd448839f0232acdda1
Instruction ID: da92441ee169492da4535394740f22c8a52c034306245e407036841f70511c34
Opcode Fuzzy Hash: 87b26909f72037bad5c5d086486b1020b940d93f18a23cd448839f0232acdda1
Instruction Fuzzy Hash: AEF02DB194590137F65237367E46F5F2A55AFC2765F64002FF824922D2DEFC8801426C

Function 004A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00429639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296A2
Part of subcall function 00429639: BeginPath.GDI32(?), ref: 004296B9
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004A8A70
LineTo.GDI32(?,00000000,00000003), ref: 004A8A80
EndPath.GDI32(?), ref: 004A8A90
StrokePath.GDI32(?), ref: 004A8AA0

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b6c18d542ec193f35e011439873e7249bcde06685e767de20389c9ba3aade09f
Instruction ID: 2763b2413425744688e43200f531a1f45c9e2f9b88bac5330b09e51f8288fde3
Opcode Fuzzy Hash: b6c18d542ec193f35e011439873e7249bcde06685e767de20389c9ba3aade09f
Instruction Fuzzy Hash: B611177604414CFFEF129F90DC88EAA7FACEB09354F008026BA199A1A1C7719D55DFA4

Function 004751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00475218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00475229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00475230
ReleaseDC.USER32(00000000,00000000), ref: 00475238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0047524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00475261

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 56a657c657abbaf1ae1b2fa63b866ad810472cae7daa1520dd3baeb040bf8ccd
Instruction ID: b478207ead9bded2994e5a75cdca39e5f22044c99e0cd918db43bcb14021a8ec
Opcode Fuzzy Hash: 56a657c657abbaf1ae1b2fa63b866ad810472cae7daa1520dd3baeb040bf8ccd
Instruction Fuzzy Hash: AF014475A00714BBEB109BA59C49A9EBFB9EB45751F044066FA04AB381D6709C01CFA4

Function 00411BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00411BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00411C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00411C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00411C22

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b82c27ef77be373fb79d768c11b49100e3c2383e9df10edc1a26d8b66baebb76
Instruction ID: d493e9c988888cf1d66a9505dcfddd78373853669c9bcba617f077a56dc52d90
Opcode Fuzzy Hash: b82c27ef77be373fb79d768c11b49100e3c2383e9df10edc1a26d8b66baebb76
Instruction Fuzzy Hash: 880167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0047EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0047EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0047EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0047EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB75

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9833bf06cacfe7257034509a113eb5214938d23b96800fcfedc48189a40a840d
Instruction ID: 9e055b19992bea128c1e96962202570f0e47ffc8bf24a53ce0b8b7c318cd5711
Opcode Fuzzy Hash: 9833bf06cacfe7257034509a113eb5214938d23b96800fcfedc48189a40a840d
Instruction Fuzzy Hash: 3FF05472240158BBE7619B529C4DEEF3E7CEFCBB11F004169F601D1191DBA05A01CAB9

Function 00467439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00467452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00467469
GetWindowDC.USER32(?), ref: 00467475
GetPixel.GDI32(00000000,?,?), ref: 00467484
ReleaseDC.USER32(?,00000000), ref: 00467496
GetSysColor.USER32(00000005), ref: 004674B0

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 93c9250fc3b27b4d275d6063ab14f121d8382c43f99ff1df49e7e13a0a3fb3de
Instruction ID: 37d12297833d4d9562e8c5ae27ae2f72ad7d91c848f1b1e770cf022df2df1e3b
Opcode Fuzzy Hash: 93c9250fc3b27b4d275d6063ab14f121d8382c43f99ff1df49e7e13a0a3fb3de
Instruction Fuzzy Hash: 6A018B31500215FFEB909F64DD48BAA7FB5FB05311F500071F915A21A1CF311E42AB59

Function 00471874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0047187F
UnloadUserProfile.USERENV(?,?), ref: 0047188B
CloseHandle.KERNEL32(?), ref: 00471894
CloseHandle.KERNEL32(?), ref: 0047189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004718A5
HeapFree.KERNEL32(00000000), ref: 004718AC

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9bf72216978b42fe2df08dc3f184cd041d70c36a5b0b1ebf7cab93073d43d17f
Instruction ID: a6468c14aaad85d95ab4b43a71100f0c1fd1e9a74cc05d3d72b1e6cbacef8e77
Opcode Fuzzy Hash: 9bf72216978b42fe2df08dc3f184cd041d70c36a5b0b1ebf7cab93073d43d17f
Instruction Fuzzy Hash: 04E0E576204101BBDB416FA1ED4C90ABF79FF4AB22B108230F22581070CB329421DF58

Function 0041BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041BEB3

Strings

D%N, xrefs: 0041BCA2
D%N, xrefs: 0041BDED, 0041BD91, 0041BD1B
D%N, xrefs: 0041BE9A
D%ND%N, xrefs: 0041BCA5

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%N$D%N$D%N$D%ND%N
API String ID: 1385522511-2848982604
Opcode ID: 778719f60a104dcf0ccd177bdf84589ea30439dbf6684f63a5fdf9524693df48
Instruction ID: 6ea5914dde4d3614734cc7f24822dc5fde11845d43a37a4303ff65ac5b2307f6
Opcode Fuzzy Hash: 778719f60a104dcf0ccd177bdf84589ea30439dbf6684f63a5fdf9524693df48
Instruction Fuzzy Hash: 57916875A0020ADFCB18CF59C1906EAB7F1FF59310B24816ED941AB350E779AD81CBD8

Function 00497B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00430242: EnterCriticalSection.KERNEL32(004E070C,004E1884,?,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043024D
Part of subcall function 00430242: LeaveCriticalSection.KERNEL32(004E070C,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043028A

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

__Init_thread_footer.LIBCMT ref: 00497BFB

Part of subcall function 004301F8: EnterCriticalSection.KERNEL32(004E070C,?,?,00428747,004E2514), ref: 00430202
Part of subcall function 004301F8: LeaveCriticalSection.KERNEL32(004E070C,?,00428747,004E2514), ref: 00430235

Strings

+TF, xrefs: 00497E2E
G, xrefs: 00497C7F
Variable must be of type 'Object'., xrefs: 00497C3A
5, xrefs: 00497C78

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TF$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4280218163
Opcode ID: 7c6b05282dfecf6096ecc36bfc019a6b62a39f02751ebcaa28ad6b5ced8b8967
Instruction ID: dc8afd1bf4116c1208d511a716ebc4e0fe3f2365de9aa8903e19c7bac440db70
Opcode Fuzzy Hash: 7c6b05282dfecf6096ecc36bfc019a6b62a39f02751ebcaa28ad6b5ced8b8967
Instruction Fuzzy Hash: 6C91AD70A14208EFCF04EF55D8919AEBBB1BF49304F14816EF8065B392DB79AE41CB59

Function 0047C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047C6EE
_wcslen.LIBCMT ref: 0047C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0047C7CA

Strings

0, xrefs: 0047C6AF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 072e598687313c420cbe8ffebe6dec4419406483a713e614a6500ac6f818a08f
Instruction ID: 036c8139172a9f7fd1662064223204c19d98b54ff38c2ffca6a104d234804fbf
Opcode Fuzzy Hash: 072e598687313c420cbe8ffebe6dec4419406483a713e614a6500ac6f818a08f
Instruction Fuzzy Hash: 4251E3716043019BD7189F29C8C5BEB77E4AF49314F04892FF999D32A1DB78D904CB5A

Function 0049AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0049AEA3

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

GetProcessId.KERNEL32(00000000), ref: 0049AF38
CloseHandle.KERNEL32(00000000), ref: 0049AF67

Strings

<, xrefs: 0049AE6B
@, xrefs: 0049AE72

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 7b8fe3b9fe18e830540d885642078d658d3c079133413d063b53bffb75f87e2d
Instruction ID: 768865b3bdf31409f9d64233fa41ed74dc96dff1021e3930170bc98b8bc759db
Opcode Fuzzy Hash: 7b8fe3b9fe18e830540d885642078d658d3c079133413d063b53bffb75f87e2d
Instruction Fuzzy Hash: 4D714970A00615DFCF14DF55C484A9EBBF1BF08318F0484AAE81AAB751CB78ED95CB99

Function 0047719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00477206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0047723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0047724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004772CF

Strings

DllGetClassObject, xrefs: 00477242

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 84df3b845cbf5adf0a617163e0c43572df966713748ba81f1eda258850e5e808
Instruction ID: 78e40fe605dddce31242282e7b0a38f9ab9f1a9eb59d5bfeefa87fa2826868c2
Opcode Fuzzy Hash: 84df3b845cbf5adf0a617163e0c43572df966713748ba81f1eda258850e5e808
Instruction Fuzzy Hash: 1A419D71A04204AFDB15CF54C884ADA7BA9EF44314F60C0AEFD099F20AD7B8D944CBA4

Function 004A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A3E35
IsMenu.USER32(?), ref: 004A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004A3E92
DrawMenuBar.USER32 ref: 004A3EA5

Strings

0, xrefs: 004A3D89

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: be11eda8e55823a4c5dd314aef5c7d7854119da3bd2d32cddc10917f40bcded8
Instruction ID: 358611fc54028fd19411c81743056fbcd683b987c2e189c7972843d632d761f0
Opcode Fuzzy Hash: be11eda8e55823a4c5dd314aef5c7d7854119da3bd2d32cddc10917f40bcded8
Instruction Fuzzy Hash: 81415975A01209EFDB10DF50D884AABBBB5FF5A356F04412AF9059B350E734AE41CF54

Function 004A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004A2F8D
LoadLibraryW.KERNEL32(?), ref: 004A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004A2FA9
DestroyWindow.USER32(?), ref: 004A2FB1

Strings

SysAnimate32, xrefs: 004A2F68

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5a059ece18695e012411c228c778116c19e0e175ffa8178757ede497c9db3c28
Instruction ID: 1b84eb1fdade81f0549b63b0f3455e8ea16a86318cb4c701d95909bb8856eeed
Opcode Fuzzy Hash: 5a059ece18695e012411c228c778116c19e0e175ffa8178757ede497c9db3c28
Instruction Fuzzy Hash: 5521C371200205AFEB108F68DD80FBB37BDEB6A368F10422AF950D6290D7B5DC51B768

Function 00434D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00434D1E,004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002), ref: 00434D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00434DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00434D1E,004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000), ref: 00434DC3

Strings

mscoree.dll, xrefs: 00434D86
CorExitProcess, xrefs: 00434D98

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 17d6c6ef9b1753d6ba9eb775796148d862211fa9ea9ac1400f165082f0fac582
Instruction ID: 4a44dd46e48559abad93e14b117633f573e7f023cd2bac84df3a9d42d1da2fbb
Opcode Fuzzy Hash: 17d6c6ef9b1753d6ba9eb775796148d862211fa9ea9ac1400f165082f0fac582
Instruction Fuzzy Hash: E8F03134640208ABDB515F94DC49BDEBFE5EB48752F0001AAE805A2250CB745940DE98

Function 00414E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414EAE
FreeLibrary.KERNEL32(00000000,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00414EA8
kernel32.dll, xrefs: 00414E94

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 2fcb139f9e97e8b65accf9693ffe75c06bc64cadc27bfd00ff72ecb099ccb975
Instruction ID: 9388f1a29be9f88115b5940574dbe45d4e4491b1a4eb700cbc59b58498d1ec89
Opcode Fuzzy Hash: 2fcb139f9e97e8b65accf9693ffe75c06bc64cadc27bfd00ff72ecb099ccb975
Instruction Fuzzy Hash: E8E0CD35B017229BD2711B257C58B9F6954AFC3F637050127FC04D2304DB68DD4148BD

Function 00414E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414E74
FreeLibrary.KERNEL32(00000000,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E87

Strings

kernel32.dll, xrefs: 00414E5B
Wow64RevertWow64FsRedirection, xrefs: 00414E6E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: dc3b485f2ac8406f4e6247426b62578b71c011e96e7fac995004df403e123362
Instruction ID: 989c52f1e93b047bff59084ed21e506efb34e8f80c4f378a66b6b0d8b510ba05
Opcode Fuzzy Hash: dc3b485f2ac8406f4e6247426b62578b71c011e96e7fac995004df403e123362
Instruction Fuzzy Hash: ADD0C2356427226746621B247C18ECB2E18AFC3B213050223F800A2214CF29CD42C9EC

Function 00482947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482C05
DeleteFileW.KERNEL32(?), ref: 00482C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00482C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482CC0

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ba34d2b73cca24ab54d8220da6c001a7e8a270f78aa769b9b9613a255c6993fd
Instruction ID: 5cf82a61d61d2dfd5d181f94456cb88ce852856a03885391282a198eab559881
Opcode Fuzzy Hash: ba34d2b73cca24ab54d8220da6c001a7e8a270f78aa769b9b9613a255c6993fd
Instruction Fuzzy Hash: 4DB17E72D01119ABDF11EFA5CD85EEEBB7CEF48304F0044ABF509A6141EB789A448F69

Function 0049A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0049A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0049A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0049A468
CloseHandle.KERNEL32(?), ref: 0049A63D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 877afe03b3f44d3bd7935d721423133d296b347392f1fb85ba45a9707894c6b2
Instruction ID: 9082ec479254e114fbc28b0797779e1aeb1a99a403012a6b58db033f1b30d769
Opcode Fuzzy Hash: 877afe03b3f44d3bd7935d721423133d296b347392f1fb85ba45a9707894c6b2
Instruction Fuzzy Hash: 50A19371604300AFDB20DF15D885F2ABBE5AF44718F14882EF9999B3D2D7B4EC418B96

Function 0044BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004B3700), ref: 0044BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0044BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004E1270,000000FF,?,0000003F,00000000,?), ref: 0044BC36
_free.LIBCMT ref: 0044BB7F

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044BD4B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 89655aef374f3786b320aa648b706b31e08314b5e144f8f6834667acac800707
Instruction ID: 0a4b96cad64463c0c510b95a757c983b12f7399a9e43482ed5795104e8fce694
Opcode Fuzzy Hash: 89655aef374f3786b320aa648b706b31e08314b5e144f8f6834667acac800707
Instruction Fuzzy Hash: 4F51D871D00209AFEB10EF669CC19AEB7B8EF45314B1042AFE554E72A1EB74DD418BD8

Function 0047E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0047CF22,?), ref: 0047DDFD

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0047CF22,?), ref: 0047DE16

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

lstrcmpiW.KERNEL32(?,?), ref: 0047E473
MoveFileW.KERNEL32(?,?), ref: 0047E4AC
_wcslen.LIBCMT ref: 0047E5EB
_wcslen.LIBCMT ref: 0047E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0047E650

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2520168432b8b636160a162f24862c93690ecb6fc3b4ebb1331a84ccce1f6cf5
Instruction ID: 4a7e949fc09f8578df0285f7f958b2dc41a442f31998295e87a4b7bfad6995a5
Opcode Fuzzy Hash: 2520168432b8b636160a162f24862c93690ecb6fc3b4ebb1331a84ccce1f6cf5
Instruction Fuzzy Hash: 8C516FB24083455BC724EBA1DC819DB73ECAF89344F004A6FE689D3151EF78A588876E

Function 0049B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0049BB63
RegCloseKey.ADVAPI32(?,?), ref: 0049BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0049BBB3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: bafa64b433be41009be818a03790b9a1c939d27772ad57c9136980c2edc90191
Instruction ID: 5041afaf4b4e0da743bf7ef48ad0b16c2d0bc52f8bb74cfb1fbad5ef4f0e9427
Opcode Fuzzy Hash: bafa64b433be41009be818a03790b9a1c939d27772ad57c9136980c2edc90191
Instruction Fuzzy Hash: B161D131208201AFC714DF14C990E6BBBE5FF84308F14896EF4998B2A2DB35ED45CB96

Function 00478BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478BCD
VariantClear.OLEAUT32 ref: 00478C3E
VariantClear.OLEAUT32 ref: 00478C9D
VariantClear.OLEAUT32(?), ref: 00478D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00478D3B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 694fcbc8b9cf9751aef9645ff0760a301874e197b115279830d1c5d8bc83d813
Instruction ID: 70ca067523b154fdbb5e6de94d7b85697061bc555aadc03d714f56de2c1ba891
Opcode Fuzzy Hash: 694fcbc8b9cf9751aef9645ff0760a301874e197b115279830d1c5d8bc83d813
Instruction Fuzzy Hash: FC516DB5A00219DFCB10CF58D894AAABBF4FF8D314B15855AE909DB350D734E911CF94

Function 00488AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00488BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00488BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00488C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00488C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00488C5F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 61e4b954acb49de43a26ce4b217554572a3953bff168a9f3b4acbe787d2948fe
Instruction ID: a829c9f05553940ea5e42b33936484159c4767965be1b7d4bd357bd9017903e4
Opcode Fuzzy Hash: 61e4b954acb49de43a26ce4b217554572a3953bff168a9f3b4acbe787d2948fe
Instruction Fuzzy Hash: 6D515F35A00214AFCB01DF65C881AAEBBF5FF49318F08845DE849AB362DB35ED41CB94

Function 00498EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00498F40
GetProcAddress.KERNEL32(00000000,?), ref: 00498FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00498FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00499032
FreeLibrary.KERNEL32(00000000), ref: 00499052

Part of subcall function 0042F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00481043,?,7644E610), ref: 0042F6E6
Part of subcall function 0042F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0046FA64,00000000,00000000,?,?,00481043,?,7644E610,?,0046FA64), ref: 0042F70D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f1dfa2a8af92c6f2fa23fa31397c99e199f4062d0487f0e37f120e8f4857c860
Instruction ID: ba985ac36e7d70186bcf075020540c50bf7674d1c3f7e011078ac1edfa6f5ef5
Opcode Fuzzy Hash: f1dfa2a8af92c6f2fa23fa31397c99e199f4062d0487f0e37f120e8f4857c860
Instruction Fuzzy Hash: 22512935600205DFCB11DF59C4948AEBBF1FF49358B0480AEE8169B362DB35ED86CB95

Function 004A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0048AB79,00000000,00000000), ref: 004A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004A6CC7

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e4dfb80d215fe2f0abfa13afd2ae1b7df0d614a54378e2a4d9d2adce287eb267
Instruction ID: 3b4f8a48d1fb26aceece9514bb38876a1b8233be03b8539f99eeaf058a13b111
Opcode Fuzzy Hash: e4dfb80d215fe2f0abfa13afd2ae1b7df0d614a54378e2a4d9d2adce287eb267
Instruction Fuzzy Hash: 2841F635600114AFD724CF28CC84FA67FA5EB1B360F0A022AF955AB3E1C779ED41CA58

Function 00442051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004420C3
_free.LIBCMT ref: 004420E3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: daf33a5b8842fb7a8a440f6bb4683ce336f28dd3ef03a246876850ab670c2d30
Instruction ID: dbe4b12d1b5ef9a76a7b268ee01cd29a6b7b1667680eef61006dd1f4afb043e6
Opcode Fuzzy Hash: daf33a5b8842fb7a8a440f6bb4683ce336f28dd3ef03a246876850ab670c2d30
Instruction Fuzzy Hash: 56410472A002009FEB20DF79C981A5EB3F1EF88314F95416AF605EB352D6B5AD01CB84

Function 0042912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00429141
ScreenToClient.USER32(00000000,?), ref: 0042915E
GetAsyncKeyState.USER32(00000001), ref: 00429183
GetAsyncKeyState.USER32(00000002), ref: 0042919D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 23f58be605c12e13882f6a621315a3a09da15055e6934ad91cd90781d33d268a
Instruction ID: d07b7fb9b1cc10956d52b5274f51739ca756b7f87ede036128ea1593edfdff20
Opcode Fuzzy Hash: 23f58be605c12e13882f6a621315a3a09da15055e6934ad91cd90781d33d268a
Instruction Fuzzy Hash: DB417D31A0821AAADB059F69D844AFEB774FB06324F20822BE425A23D0D7785D50CB96

Function 00483874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00483922
TranslateMessage.USER32(?), ref: 0048394B
DispatchMessageW.USER32(?), ref: 00483955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00483966

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e6b956bf743025c86a323533d8fb16062911f204e1dfbd9e1c3a221e0b9aef96
Instruction ID: cfab3a0175811c045164ca863a3fe19fea1ccd759c791dfe665831cb9672692f
Opcode Fuzzy Hash: e6b956bf743025c86a323533d8fb16062911f204e1dfbd9e1c3a221e0b9aef96
Instruction Fuzzy Hash: 4B31DAB09443819EEB35EF34D888B7B3BE8AB05B05F040D7BE452862A1D3FC9585CB19

Function 0048CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0048CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFF2

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 0e7d5d5a29057239a9d7d12df7fd91d9d5eee3fbe4b5a27e64e8aeec1791dca1
Instruction ID: 876457f0adcaf2424fbabab0cef010281955103ad9a08f2b8f0f95e5a748d9fa
Opcode Fuzzy Hash: 0e7d5d5a29057239a9d7d12df7fd91d9d5eee3fbe4b5a27e64e8aeec1791dca1
Instruction Fuzzy Hash: 5C314171504205AFEB20EFA5D8C49AF7BF9EB15354B10486FF606D2280DB38AD459B68

Function 00471901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00471915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004719E2

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 085d660e6e7fb3195bc34f4fdc3be1d84c6fc89de580f156c20b6a24d221a68d
Instruction ID: b81f49960a7c1050747a43b0eeea243e6d0626db0cd380daa65a4b8b37457e6a
Opcode Fuzzy Hash: 085d660e6e7fb3195bc34f4fdc3be1d84c6fc89de580f156c20b6a24d221a68d
Instruction Fuzzy Hash: C931F6B1A00219EFCB10CFACCD98ADE3BB5EB05314F008226FA25A72E0C3749D45CB94

Function 004A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004A579D
_wcslen.LIBCMT ref: 004A57AF
_wcslen.LIBCMT ref: 004A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004A5816

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e69d7c13cfee4c0b5b5f4270a619e052e1bff7d024229b3e3a9b4c17043470eb
Instruction ID: a68b5054da3947af00bb4884a75f7ad8ccd26a7aca2bd31704d276795f5bfeb5
Opcode Fuzzy Hash: e69d7c13cfee4c0b5b5f4270a619e052e1bff7d024229b3e3a9b4c17043470eb
Instruction Fuzzy Hash: 7C21D775900608DADB20DF60CD84AEE7B7CFF16324F104117F919EA280D7789985CF59

Function 00490930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00490951
GetForegroundWindow.USER32 ref: 00490968
GetDC.USER32(00000000), ref: 004909A4
GetPixel.GDI32(00000000,?,00000003), ref: 004909B0
ReleaseDC.USER32(00000000,00000003), ref: 004909E8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6f66b99f1474ac2ce5f3f7d840feaef23cf7908b7fcf019991c7a53eafa980e0
Instruction ID: e348afaf92aaf7ff8b2808d734d348c12d10c30eb487fb869ddea32893235637
Opcode Fuzzy Hash: 6f66b99f1474ac2ce5f3f7d840feaef23cf7908b7fcf019991c7a53eafa980e0
Instruction Fuzzy Hash: B421A175600204AFD704EF65C984AAEBBE9EF49704F00843EE84AA7362DB34AC45CB94

Function 0044CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CDE9

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044CE0F
_free.LIBCMT ref: 0044CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044CE31

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 08e1ae7251d896a1960962ce4e7754ec2ea01e1cf9f5a629c3fc0d4c9517cf23
Instruction ID: e5c4b19c28e31fe9e747232f6dac4d4b5fa34164c6cd0ee705155136c413902d
Opcode Fuzzy Hash: 08e1ae7251d896a1960962ce4e7754ec2ea01e1cf9f5a629c3fc0d4c9517cf23
Instruction Fuzzy Hash: DB0175726026157F376116B76CC8D7BAD6DDAC7BA1329012AFD05C6201DF698D0291B8

Function 00429639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
SelectObject.GDI32(?,00000000), ref: 004296A2
BeginPath.GDI32(?), ref: 004296B9
SelectObject.GDI32(?,00000000), ref: 004296E2

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4853d94e95593719ae1833e5db8daf04a16c977158f633886e731729882d6b15
Instruction ID: 1dc2e6510d7a8b3376017f75bc0bbea1bcce5f88e2b3ab9b9b44a86e2b92b094
Opcode Fuzzy Hash: 4853d94e95593719ae1833e5db8daf04a16c977158f633886e731729882d6b15
Instruction Fuzzy Hash: 1921A1B0A42355EBDB118F64EC88BAA3BA4BF11355F500236F4109A2B2D3785C81CF9C

Function 00475711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00475726
_memcmp.LIBVCRUNTIME ref: 00475744
_memcmp.LIBVCRUNTIME ref: 00475757
_memcmp.LIBVCRUNTIME ref: 0047576F
_memcmp.LIBVCRUNTIME ref: 00475787

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7af7611d85b753bd4b00e5a3d71d25766f0c44141e088f0aad73b1a16dcb494e
Instruction ID: 95fe706676b1af874f0c5f7b09a68588c1f1f1fbdab0b9d9e0dbd6ae1940ddaf
Opcode Fuzzy Hash: 7af7611d85b753bd4b00e5a3d71d25766f0c44141e088f0aad73b1a16dcb494e
Instruction Fuzzy Hash: 200192A1641A09BAA20C55129D82FFB635C9B253A8F108037FD089EA41F7ADED1582AD

Function 00442DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6), ref: 00442DFD
_free.LIBCMT ref: 00442E32
_free.LIBCMT ref: 00442E59
SetLastError.KERNEL32(00000000,00411129), ref: 00442E66
SetLastError.KERNEL32(00000000,00411129), ref: 00442E6F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 18d39f4f35d788565a69eccbb32a4c16798351e5bd8cd9fe340a28c4741db5af
Instruction ID: 2a8e50c9df9d9ed104c4451fdea57554a7bd7abfa23c90cdcfea427223f98d00
Opcode Fuzzy Hash: 18d39f4f35d788565a69eccbb32a4c16798351e5bd8cd9fe340a28c4741db5af
Instruction Fuzzy Hash: 7A01F97224560167F61267366E85D2F2659ABD27A97F5003FF825E2293EEFCCC01412C

Function 0047000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?,?,0047035E), ref: 0047002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?), ref: 00470064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470070

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e89e9185c9af94200255ca9a4afe8ad41df043aa060daf5fe0e1f4606f23c83a
Instruction ID: 23021f586f535801a659cad62ed450542fa43cbbbcdb01b6b7b344be3df9142e
Opcode Fuzzy Hash: e89e9185c9af94200255ca9a4afe8ad41df043aa060daf5fe0e1f4606f23c83a
Instruction Fuzzy Hash: D901A272601204FFDB505F68EC44BEA7EEDEF44762F148129F909D6210D779DD409BA4

Function 0047E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0047E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0047E9A5
Sleep.KERNEL32(00000000), ref: 0047E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0047E9B7
Sleep.KERNEL32 ref: 0047E9F3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2179a7372f7dbf06ae8ae120ef0d17ef4bee33749576cdcef1aed6ef2d0e4017
Instruction ID: f2088184f57336d844a909f770ddc2b3d6f329e7bd0d8ac59f20cd0a270141e8
Opcode Fuzzy Hash: 2179a7372f7dbf06ae8ae120ef0d17ef4bee33749576cdcef1aed6ef2d0e4017
Instruction Fuzzy Hash: BA01A1B2D01529DBCF409FE6DD886DDBB78FF0E300F004296D601B2241CB384551CB69

Function 004710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7f78811814a72b0c02fdbb5afd4f8e47da716614da87759c790437b700499d45
Instruction ID: 3f38b739c9eebb035901a3d6181a786c075046380bdc294c554717718219e434
Opcode Fuzzy Hash: 7f78811814a72b0c02fdbb5afd4f8e47da716614da87759c790437b700499d45
Instruction Fuzzy Hash: CC011D79200205BFDB514FA9DC89AAB3F6EEF8A360B504425FA46D7360DA31DD009E64

Function 00470FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00470FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00470FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00470FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00470FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00471002

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2c84c71b5a7be7f69b4e30d5384410c2d2d18b4f021ee88ab878231e16aa690e
Instruction ID: b8981c4fdc8285d3277d01006d97029e100e31809b1bdea7f56964640f9af566
Opcode Fuzzy Hash: 2c84c71b5a7be7f69b4e30d5384410c2d2d18b4f021ee88ab878231e16aa690e
Instruction Fuzzy Hash: F2F0A975200301ABDB210FA89C89F973FADEF8A762F104825FA09D6260DE70DC408A64

Function 00471014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0047102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00471036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0047104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471062

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e20494f3a47d287b625f89700a330764807d549aeea3c630d1e7064eb03ff2b7
Instruction ID: 40e34e9eae8a88c544268f3db91f3f00edc97a0506d78080eabd363fde28ffe1
Opcode Fuzzy Hash: e20494f3a47d287b625f89700a330764807d549aeea3c630d1e7064eb03ff2b7
Instruction Fuzzy Hash: 0DF0A975200301ABDB211FA8EC88F973FADEF8A761F104425FA09E6260DE70D8408A64

Function 0048030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480324
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480331
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 0048033E
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 0048034B
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480358
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480365

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f34691dd8f73bd4e4db5348961348b5a9e62097038b719dd2a7259ee131cb3a4
Instruction ID: c32c7e71f5cdd539bc6d4072fb9e5749306e480631bf004e3a27d4ae3b5c44a9
Opcode Fuzzy Hash: f34691dd8f73bd4e4db5348961348b5a9e62097038b719dd2a7259ee131cb3a4
Instruction Fuzzy Hash: 1101DC72800B019FCB30AF66D88080BFBF9BE602053058E3FD19252A30C3B4A948CF84

Function 0044D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D752

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044D764
_free.LIBCMT ref: 0044D776
_free.LIBCMT ref: 0044D788
_free.LIBCMT ref: 0044D79A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 143f466ed7a907e6981e3a3d70175cf5e3502c2cea1d21b49757def193a6f240
Instruction ID: 14dbad4606ffe41d2f073dcaad61d9b2f57bc155d9c8a2c59d83fd0eab05b2ef
Opcode Fuzzy Hash: 143f466ed7a907e6981e3a3d70175cf5e3502c2cea1d21b49757def193a6f240
Instruction Fuzzy Hash: 16F012B2A45205ABA621FB66FAC5C177BDDBB44715BD40C1BF048D7601C778FC80866C

Function 00475C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00475C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00475C6F
MessageBeep.USER32(00000000), ref: 00475C87
KillTimer.USER32(?,0000040A), ref: 00475CA3
EndDialog.USER32(?,00000001), ref: 00475CBD

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: bb59ec5287a00e61e4ab1e5b9356a4277eba31e13a9486c6b36868533097a465
Instruction ID: 9a317d90fb9fe38d13e78c233653d40680c15c65805b64baaf6f06db39f602f6
Opcode Fuzzy Hash: bb59ec5287a00e61e4ab1e5b9356a4277eba31e13a9486c6b36868533097a465
Instruction Fuzzy Hash: F3018630500B04AFFB215B10DD8EFE67BB8BB01B05F04456AA587A50E1DBF4A9898A99

Function 004422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004422BE

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 004422D0
_free.LIBCMT ref: 004422E3
_free.LIBCMT ref: 004422F4
_free.LIBCMT ref: 00442305

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd1493f46af5fbeff70f7d3d265acb9415c9f2c44b8aa34cf693d3a80b904407
Instruction ID: ded007adef903f19d41836a550c5a512f8eca7a9e8d7194f03c9851f85b970ad
Opcode Fuzzy Hash: bd1493f46af5fbeff70f7d3d265acb9415c9f2c44b8aa34cf693d3a80b904407
Instruction Fuzzy Hash: DCF054F45411919BAA12BF56BDC180D3B64F718761780056BF410EA372C7F91452EFEC

Function 004295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004295D4
StrokeAndFillPath.GDI32(?,?,004671F7,00000000,?,?,?), ref: 004295F0
SelectObject.GDI32(?,00000000), ref: 00429603
DeleteObject.GDI32 ref: 00429616
StrokePath.GDI32(?), ref: 00429631

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 431a56af6126d74fb934f5478809107661f17544e590573119585be63491499a
Instruction ID: 95a409aef37bcee009baea42993923f6b71e8e16e567864d5747744f86aa7a26
Opcode Fuzzy Hash: 431a56af6126d74fb934f5478809107661f17544e590573119585be63491499a
Instruction Fuzzy Hash: 08F0AF7114A244EBDB164FA4ED8C7653FA1BB02322F408234F425591F3CB388991CF2C

Function 00440F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004410F9
__freea.LIBCMT ref: 00441117

Part of subcall function 00441537: _free.LIBCMT ref: 0044154F

Strings

am/pm, xrefs: 0044117A
a/p, xrefs: 004411DE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ac29a15a75f5bae84f4bf38eaca9e3f7c03b467563d47b9fea527550e3e37074
Instruction ID: 0ceb46b2ee8850823f06aeb7929aa029d6cc207dcfd13acb96d393fe0527b033
Opcode Fuzzy Hash: ac29a15a75f5bae84f4bf38eaca9e3f7c03b467563d47b9fea527550e3e37074
Instruction Fuzzy Hash: 9BD1DE31A002069AFB249F68C845ABBB7B0FF05700F28415BE911ABB61D37D9DC1CB99

Function 004961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00430242: EnterCriticalSection.KERNEL32(004E070C,004E1884,?,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043024D
Part of subcall function 00430242: LeaveCriticalSection.KERNEL32(004E070C,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043028A

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

__Init_thread_footer.LIBCMT ref: 00496238

Part of subcall function 004301F8: EnterCriticalSection.KERNEL32(004E070C,?,?,00428747,004E2514), ref: 00430202
Part of subcall function 004301F8: LeaveCriticalSection.KERNEL32(004E070C,?,00428747,004E2514), ref: 00430235

Part of subcall function 0048359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004835E4
Part of subcall function 0048359C: LoadStringW.USER32(004E2390,?,00000FFF,?), ref: 0048360A

Strings

x#N, xrefs: 0049636F
x#N, xrefs: 00496353
x#N, xrefs: 0049633A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#N$x#N$x#N
API String ID: 1072379062-56826683
Opcode ID: 39147560ad18f31416446e838bdff74776310c3d71ce3773bbb55d3b3734d6f4
Instruction ID: c9ba9791fd84f5f4aa6aa16194e221c61a93dfe8eef98ed134441fb040390de9
Opcode Fuzzy Hash: 39147560ad18f31416446e838bdff74776310c3d71ce3773bbb55d3b3734d6f4
Instruction Fuzzy Hash: C3C17F71A00105AFCF14EF99D890EBEBBB9EF48314F12806EE9059B251D778ED45CB98

Function 00445AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOA, xrefs: 00445BA8, 00445C6C

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: JOA
API String ID: 0-4101436360
Opcode ID: 87deaf03650484b5bfb456725a0e376c9996693db3396a84479cb781f0a7f70a
Instruction ID: 81db98df509d698b7c7209a264c5ff66790e7bc3a0b2e1f92e08d4c7083a60d6
Opcode Fuzzy Hash: 87deaf03650484b5bfb456725a0e376c9996693db3396a84479cb781f0a7f70a
Instruction Fuzzy Hash: 4151C171D006099FEF209FA5C885FAFBBB4EF09314F14005BF405A7293D6799902CB6A

Function 00448A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00448B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00448B7A
__dosmaperr.LIBCMT ref: 00448B81

Strings

.C, xrefs: 00448A63

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .C
API String ID: 2434981716-1181961956
Opcode ID: b4b5be51b042283190a2174b5a85a689248d549f55c904eed8fcce7da5501a6a
Instruction ID: 876e3e89d12ec28d3a816206eda3b7418d01e9375f873fec0301dd9fe1d29aae
Opcode Fuzzy Hash: b4b5be51b042283190a2174b5a85a689248d549f55c904eed8fcce7da5501a6a
Instruction Fuzzy Hash: A5418E70604085AFFB249F24CC81A7E7FA5DB86304F2841AFF85497242DE799C53979C

Function 00472716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004721D0,?,?,00000034,00000800,?,00000034), ref: 0047B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00472760

Part of subcall function 0047B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0047B3F8

Part of subcall function 0047B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0047B355
Part of subcall function 0047B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00472194,00000034,?,?,00001004,00000000,00000000), ref: 0047B365
Part of subcall function 0047B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00472194,00000034,?,?,00001004,00000000,00000000), ref: 0047B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0047281A

Strings

@, xrefs: 00472832

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e75cdcd01f02b8d1c994f5de6ad2e6fb2f374daa85f874f4d6fa5a51d1b83f7d
Instruction ID: ece7c4acca13ec0c699f4aa41f657afa398bf470d499fc4f00e7c5bbaa8e9516
Opcode Fuzzy Hash: e75cdcd01f02b8d1c994f5de6ad2e6fb2f374daa85f874f4d6fa5a51d1b83f7d
Instruction Fuzzy Hash: AB413072900218AFDB10DFA4CD41BDEBBB8EF05304F00819AFA59B7181DB756E85CB95

Function 0044172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00441769
_free.LIBCMT ref: 00441834
_free.LIBCMT ref: 0044183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00441760, 00441767, 00441796, 004417CE

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: b4561e3ece174b7b87abf092e99de7caf8d94870fbd739fdd3e471e05f8cf732
Instruction ID: e6daf98204c1486b4033c53dace1f45ae52d7552e79a54cd432265da8d768396
Opcode Fuzzy Hash: b4561e3ece174b7b87abf092e99de7caf8d94870fbd739fdd3e471e05f8cf732
Instruction Fuzzy Hash: 4C318371A40258ABEB21DB9A9C81D9FBBFCEB85310B1441ABF504A7221D6744A80CB98

Function 0047C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0047C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0047C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004E1990,018E4A58), ref: 0047C395

Strings

0, xrefs: 0047C2DF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 861342acafa3479daa35de97740a82bca3f1f25c9ee3e0d31f31d9a706338fd6
Instruction ID: ca7b83f462996cfa4db5589584a919406778e3f4ac46951a50779401c90e84e1
Opcode Fuzzy Hash: 861342acafa3479daa35de97740a82bca3f1f25c9ee3e0d31f31d9a706338fd6
Instruction Fuzzy Hash: 2E418F712043019FD720DF25D884B9ABBE8AB85324F14C61EFDA9972D1D778A904CB6A

Function 004A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004ACC08,00000000,?,?,?,?), ref: 004A44AA
GetWindowLongW.USER32 ref: 004A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A44D7

Strings

SysTreeView32, xrefs: 004A447C

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 880e6787fa4053b923dd72c85b75bc62b710673df055dd979284f2a8ff52493d
Instruction ID: e45ae8497fde00ea699975e0baa6b1a08c5326ba50c8acc82a69c4faa1a0856d
Opcode Fuzzy Hash: 880e6787fa4053b923dd72c85b75bc62b710673df055dd979284f2a8ff52493d
Instruction Fuzzy Hash: A831B231200205AFDB208F78DC45BDB7BA9EB9A338F20472AF975922D0D7B8EC509754

Function 00476E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00476EED
VariantCopyInd.OLEAUT32(?,?), ref: 00476F08
VariantClear.OLEAUT32(?), ref: 00476F12

Strings

*jG, xrefs: 00476E8B, 00476E90, 00476EF8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jG
API String ID: 2173805711-3174124858
Opcode ID: 532eaa85fe75b0e4e21517a9be614e7ddc8613fb8b063b750d59b156a4094bf4
Instruction ID: ca92d3ab91f30acc51170f67dcaca04aec4c3d6986c15e87d1a0a1d2b614d77a
Opcode Fuzzy Hash: 532eaa85fe75b0e4e21517a9be614e7ddc8613fb8b063b750d59b156a4094bf4
Instruction Fuzzy Hash: 8F319071704606DBCB04AF65E8909FE3777EF45308B1144AAF90A4B2A1C7389952DBDD

Function 0049304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00493077,?,?), ref: 00493378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
_wcslen.LIBCMT ref: 0049309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00493106

Strings

255.255.255.255, xrefs: 00493095, 0049309A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b846ea03849b7cf3a037420d21f80fadcfd4415dea69e6d5f869bc7357fa7a48
Instruction ID: 2309739ad176778b1fbb4edccff78af1228bb4c28be928dd8ee4c6289cc451b6
Opcode Fuzzy Hash: b846ea03849b7cf3a037420d21f80fadcfd4415dea69e6d5f869bc7357fa7a48
Instruction Fuzzy Hash: A331D5352002019FCF20DF69C486EAA7FE0EF56319F24806AE9158B3A2D779EE45C765

Function 004A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004A471A

Strings

msctls_updown32, xrefs: 004A4684

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d4944e9b556eb0b9e5f146698d3d0f3c0d53e2fd79fa4ba854c3605969a50de7
Instruction ID: 342302416842dbe5e8a820cf96fba1abf55ab34af325e8514b308ddfa1708659
Opcode Fuzzy Hash: d4944e9b556eb0b9e5f146698d3d0f3c0d53e2fd79fa4ba854c3605969a50de7
Instruction Fuzzy Hash: CD2162B5601244AFDB10DF68DCC1DBB37ADEB9B398B04005AFA009B361DB74EC51CA64

Function 004795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047961D

Strings

#requireadmin, xrefs: 004795D9
#notrayicon, xrefs: 004795B7
#OnAutoItStartRegister, xrefs: 004795F3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: db8bdabd4b58a3a10f68f15511ee80768d4b835fe45d313885f2456453bf490a
Instruction ID: aa405bb422afbe7927a0bb2e7d602d9b8112f0a1fb63b39fa494f1d455cd9b62
Opcode Fuzzy Hash: db8bdabd4b58a3a10f68f15511ee80768d4b835fe45d313885f2456453bf490a
Instruction Fuzzy Hash: 06212E7210462166D331AB269C02FF773E89F65314F54802FF94D97241EB5DAD45C29D

Function 004A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004A3876

Strings

Listbox, xrefs: 004A380F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 4774221057044af95b8dc44b54bbd4d565a11c2dd4b0e2acd17bb3da107af83f
Instruction ID: bdf332832c4d3c633d1f203710be3d44e1e59fcd21e73d3262a835f34456e84d
Opcode Fuzzy Hash: 4774221057044af95b8dc44b54bbd4d565a11c2dd4b0e2acd17bb3da107af83f
Instruction Fuzzy Hash: 862107726001187BEF11DF54CC80FBB376EEF9A754F10812AF9009B290D679DC518794

Function 004849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00484A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00484A5C
SetErrorMode.KERNEL32(00000000,?,?,004ACC08), ref: 00484AD0

Strings

%lu, xrefs: 00484A6F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: fa5d26eb0e0566b1e5d05ecefd26c460b1112efcd8688c8e78f352778cbdedf0
Instruction ID: c4e3ee8dfc34bc2c52ffc4d8305aea6d59b9c2d21503e4231c32b609fe6cbba1
Opcode Fuzzy Hash: fa5d26eb0e0566b1e5d05ecefd26c460b1112efcd8688c8e78f352778cbdedf0
Instruction Fuzzy Hash: 0D318075A00109AFD710DF54C885EAE7BF8EF49308F1480AAE809DB352DB75ED45CB65

Function 004A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004A4271

Strings

msctls_trackbar32, xrefs: 004A4226

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 803734ff345fb930105773d849f1d0ed670929e1412b7aff903d1749a56e7ad4
Instruction ID: d34ff235fa9ffbdd703f64f95d5d4ad6ceb2d31c266f3ebcbd5deaee30c8d840
Opcode Fuzzy Hash: 803734ff345fb930105773d849f1d0ed670929e1412b7aff903d1749a56e7ad4
Instruction Fuzzy Hash: 6A113A322402087EEF205F25CC45FAB3BACEFD6764F010126FA40E6190D2B5DC518B18

Function 00472F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Part of subcall function 00472DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00472DC5
Part of subcall function 00472DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00472DD6
Part of subcall function 00472DA7: GetCurrentThreadId.KERNEL32 ref: 00472DDD
Part of subcall function 00472DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00472DE4

GetFocus.USER32 ref: 00472F78

Part of subcall function 00472DEE: GetParent.USER32(00000000), ref: 00472DF9

GetClassNameW.USER32(?,?,00000100), ref: 00472FC3
EnumChildWindows.USER32(?,0047303B), ref: 00472FEB

Strings

%s%d, xrefs: 00472FFF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 938b035bf15ce9bc11b5fdff85247d92f06d5eca47bf9eac341b8ee427d3f23e
Instruction ID: 7cba6459d84f60ebceb6e958ef49e9b8f75ae700e1641ecb818d52fbb0678e4f
Opcode Fuzzy Hash: 938b035bf15ce9bc11b5fdff85247d92f06d5eca47bf9eac341b8ee427d3f23e
Instruction Fuzzy Hash: 0911E4B16002056BCF50BF718CC5FEE376AAF84308F04807BF90D9B252DE7899499B68

Function 004A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004A58EE
DrawMenuBar.USER32(?), ref: 004A58FD

Strings

0, xrefs: 004A588F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: d3ab2d032216fad3974ff379c9246991f07f4fa92f65967ddb01cc7daca83607
Instruction ID: 6cce3f63e860bbd74be7087d248058969e21914c936b1b22677b24cb85b8bc67
Opcode Fuzzy Hash: d3ab2d032216fad3974ff379c9246991f07f4fa92f65967ddb01cc7daca83607
Instruction Fuzzy Hash: 68018471500218EFDB519F11EC44BAFBBB8FF46360F1080AAF849DA251DB348A84DF25

Function 0047007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e7a76b08c311a0456e80ac93ce77fd7f81d2607a6960046681a79c580d8619
Instruction ID: 30904cbb3f1f7f3b0e0d26bc88f3c04b36d29190e2af97f3209cc02610a4562d
Opcode Fuzzy Hash: b4e7a76b08c311a0456e80ac93ce77fd7f81d2607a6960046681a79c580d8619
Instruction Fuzzy Hash: 64C16C75A0120AEFDB14CFA4C894EAEB7B5FF48304F208599E909EB251D735ED42CB94

Function 0049342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00493459
CoUninitialize.OLE32 ref: 00493463
VariantInit.OLEAUT32(?), ref: 0049346E
VariantClear.OLEAUT32(?), ref: 0049371B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f9f97a1fa3f19f5c945d8d5aff214f2531aab5e2690341c61c07aea3e423f413
Instruction ID: 35e2ece6c6adc5468c17c6a0e55e15e1f88f114d03215012f1905c35e75a5f7d
Opcode Fuzzy Hash: f9f97a1fa3f19f5c945d8d5aff214f2531aab5e2690341c61c07aea3e423f413
Instruction Fuzzy Hash: 4DA16E75204300AFCB10DF25C485A5ABBE5FF89719F04885EF94A9B362DB38ED41CB5A

Function 00470436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004AFC08,?), ref: 004705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004AFC08,?), ref: 00470608
CLSIDFromProgID.OLE32(?,?,00000000,004ACC40,000000FF,?,00000000,00000800,00000000,?,004AFC08,?), ref: 0047062D
_memcmp.LIBVCRUNTIME ref: 0047064E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 49d480c9e0232dd85253fb5e1a619da80e2ee7ae5ab4adc54cd0f5f3244fd1b8
Instruction ID: 6666d4d76a5eabef93e750efca45d4cb71ebea393a0ee7ec06c185f2e6e5e93f
Opcode Fuzzy Hash: 49d480c9e0232dd85253fb5e1a619da80e2ee7ae5ab4adc54cd0f5f3244fd1b8
Instruction Fuzzy Hash: CB813971A00109EFCB04DF94C984EEEB7B9FF89315F208159F506AB250DB75AE06CB64

Function 0049A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0049A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0049A6BA

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Process32NextW.KERNEL32(00000000,?), ref: 0049A79C
CloseHandle.KERNEL32(00000000), ref: 0049A7AB

Part of subcall function 0042CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00453303,?), ref: 0042CE8A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 272c854cdb6b3197e95d9881c183daa25e0bd61b0dae3eb7764d09bd6790413b
Instruction ID: df926239ac5d77136032d197bdc39203963052ccd754074aa1f0b18be269c5cb
Opcode Fuzzy Hash: 272c854cdb6b3197e95d9881c183daa25e0bd61b0dae3eb7764d09bd6790413b
Instruction Fuzzy Hash: 0A518171508300AFC710EF25C886A5BBBF8FF89758F40492EF58597251EB34E944CB96

Function 00451391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004514C0

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8d07611b345f147778ec4bee98ff6eab5d28410972cbdfc56c99cc14b695cf94
Instruction ID: 9b124a8551b40aada1c48fc126a7b84a76fc1153a0df3f8410306c87279c5abc
Opcode Fuzzy Hash: 8d07611b345f147778ec4bee98ff6eab5d28410972cbdfc56c99cc14b695cf94
Instruction Fuzzy Hash: 52414131900100A7EB256BBA8C45B6F3AA4EF47379F14126BFC14D62F3E67C48495269

Function 004A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A62E2
ScreenToClient.USER32(?,?), ref: 004A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004A6382

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4825c11e2167e88004f225f39307592f56ba0d89aacb7d7a96589b554e058f78
Instruction ID: 11bd6ad433e23e12338e730dfdeedd3a83641ac58d97fca0e4aa8655945ee193
Opcode Fuzzy Hash: 4825c11e2167e88004f225f39307592f56ba0d89aacb7d7a96589b554e058f78
Instruction Fuzzy Hash: 77515C75A00209EFCF10DF68D880AAE7BB5EB66360F15816AF8159B3A1D734ED81CB54

Function 00491AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00491AFD
WSAGetLastError.WSOCK32 ref: 00491B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00491B8A
WSAGetLastError.WSOCK32 ref: 00491B94

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 42d8a671c9e0dea82dfdaa88628f17149bc70e7fda7e18c5f1127a4de40f3cb9
Instruction ID: 5838e8bb0a7c4d6a5d4fc4d59643e5c8a4caa6b83900d64a435e38f72263d2ed
Opcode Fuzzy Hash: 42d8a671c9e0dea82dfdaa88628f17149bc70e7fda7e18c5f1127a4de40f3cb9
Instruction Fuzzy Hash: B041E334600201AFDB20AF25C886F667BE5AB44708F54C45DF91A8F3D3D77AED828B94

Function 0044B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827480882dd9c1f8c197c620b9e981d251778628a1b402f35e200e47cb506d8b
Instruction ID: dd47dff0d69632b1fc069f2b275dbdf994a5d5a1e7ba879f1174c8a7cf57d6d5
Opcode Fuzzy Hash: 827480882dd9c1f8c197c620b9e981d251778628a1b402f35e200e47cb506d8b
Instruction Fuzzy Hash: 21411571A00704BFE7249F39CC42BAABBA9EB88714F10852FF555DB292D379E90187D4

Function 004856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00485783
GetLastError.KERNEL32(?,00000000), ref: 004857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004857FA

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5f0f4c100b1a50d0fc1f14d23f28f5df87dd9aa909db56d5ac9ec0e2c783b0c0
Instruction ID: 1e1c1169006bbf6b6143515db2d0c20cab159cc2f3de8a0992a1fa34eb0b59a9
Opcode Fuzzy Hash: 5f0f4c100b1a50d0fc1f14d23f28f5df87dd9aa909db56d5ac9ec0e2c783b0c0
Instruction Fuzzy Hash: 15414135600610DFCB11EF15C484A5EBBF2EF49318B18C89AE84A5B361CB38FD41CB95

Function 0044D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00436D71,00000000,00000000,004382D9,?,004382D9,?,00000001,00436D71,?,00000001,004382D9,004382D9), ref: 0044D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0044D9AB
__freea.LIBCMT ref: 0044D9B4

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: db6fc114a5125d9c4aeb1be850741bfce174e58f50b987c98a5e3acc735e1d1d
Instruction ID: e8bde2569c75b5926976a0984e8d8c2a6f801f9ae542add750c0619c37f1fac0
Opcode Fuzzy Hash: db6fc114a5125d9c4aeb1be850741bfce174e58f50b987c98a5e3acc735e1d1d
Instruction Fuzzy Hash: 9231CDB2A0020AABEF249F65DC81EAF7BA5EF41710F05016AFC04D6290EB39CD50CB94

Function 004A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004A5352
GetWindowLongW.USER32(?,000000F0), ref: 004A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004A53A8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: cac88b56cb4744f60406c7bb9657527409bd96b5b70ef398f1faf8076d212c98
Instruction ID: 5e8ae4d23a4f02b47f2ee34d72c6edb614801b4ce34adc7abb237c8f3a33946b
Opcode Fuzzy Hash: cac88b56cb4744f60406c7bb9657527409bd96b5b70ef398f1faf8076d212c98
Instruction Fuzzy Hash: F231E430A55A08FFEF309E14DE45BEA3761ABA6390F584113FE11962E1C7B89D40DB4A

Function 0047AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0047ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0047AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0047AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0047ACC6

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2e85973924a3b6836fea5be79c1db061b3275b2a578a557089be282fa5378c83
Instruction ID: 9b7cd69b858423b3bd1728dbb7ac65d4c7f4aa9068d8a61e12e4371e9a0aec77
Opcode Fuzzy Hash: 2e85973924a3b6836fea5be79c1db061b3275b2a578a557089be282fa5378c83
Instruction Fuzzy Hash: E031F830A006187FEF36CB658809BFF7BA5ABC5310F04C21BE489522D1C37D89A5879B

Function 004A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004A769A
GetWindowRect.USER32(?,?), ref: 004A7710
PtInRect.USER32(?,?,004A8B89), ref: 004A7720
MessageBeep.USER32(00000000), ref: 004A778C

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ad9f01b04d0407ebe58d1bd6a8efa648627726e7214698e0dfb4ece4a22d255d
Instruction ID: 281c847e5ef4d4bb3d3a3a44e00c7075ba0e0596c4a0cda96c2079c6931409f3
Opcode Fuzzy Hash: ad9f01b04d0407ebe58d1bd6a8efa648627726e7214698e0dfb4ece4a22d255d
Instruction Fuzzy Hash: 0D419F78605254DFCB21CF58CC94EAA77F4BB5A314F1541AAE4149B362C738B941CF98

Function 004A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004A16EB

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

GetCaretPos.USER32(?), ref: 004A16FF
ClientToScreen.USER32(00000000,?), ref: 004A174C
GetForegroundWindow.USER32 ref: 004A1752

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c1dc95facfe6ee1440833f223fb5cfa58ea6465fa3fc6fbec1d51d8f98b5bfc7
Instruction ID: 7f96c364aa62962e8546d8dc61a75a9c9848e96c4e7ba32d5638bef45d9228bd
Opcode Fuzzy Hash: c1dc95facfe6ee1440833f223fb5cfa58ea6465fa3fc6fbec1d51d8f98b5bfc7
Instruction Fuzzy Hash: 73313D75D00249AFC700EFAAC8C18EEBBF9EF49308B5080AAE415E7251D635DE45CBA4

Function 004A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

GetCursorPos.USER32(?), ref: 004A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00467711,?,?,?,?,?), ref: 004A9016
GetCursorPos.USER32(?), ref: 004A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00467711,?,?,?), ref: 004A9094

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 92e249b46de13416d1d93ccc39a885b4193c78241ceac73206379186a51af7de
Instruction ID: 935d4800c79c01b11d80747103308528a3e2cbb5f504a3cd88e748a6b9cab65d
Opcode Fuzzy Hash: 92e249b46de13416d1d93ccc39a885b4193c78241ceac73206379186a51af7de
Instruction Fuzzy Hash: 4B219F35604018FFCB258F94D898EEB7BB9EB4A390F14806AF9054B262C3399D90DB64

Function 0047D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004ACB68), ref: 0047D2FB
GetLastError.KERNEL32 ref: 0047D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0047D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004ACB68), ref: 0047D376

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2cbf998efb7b84d7c9b93faf74577725f69a0ba50cd196103bfbaaf45d0c1633
Instruction ID: a93264fde7d96f01c7be7b17843a0f24cf62a776a4c71e9b68568ef6115461f8
Opcode Fuzzy Hash: 2cbf998efb7b84d7c9b93faf74577725f69a0ba50cd196103bfbaaf45d0c1633
Instruction Fuzzy Hash: E72194709142019F8700DF24C8814EB77F4AE56368F108A1FF899C72A1DB35DD46CB9B

Function 00471571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00471014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0047102A
Part of subcall function 00471014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00471036
Part of subcall function 00471014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471045
Part of subcall function 00471014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0047104C
Part of subcall function 00471014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004715BE
_memcmp.LIBVCRUNTIME ref: 004715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00471617
HeapFree.KERNEL32(00000000), ref: 0047161E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 67ddbd88e4e5af09870c64dc9d6605923ecca63a1c17edca9303cd8587e4c3c5
Instruction ID: d9dfff3dabab45ceb8714f1668bca5812e270d89e350ba0174a533abbe99d602
Opcode Fuzzy Hash: 67ddbd88e4e5af09870c64dc9d6605923ecca63a1c17edca9303cd8587e4c3c5
Instruction Fuzzy Hash: 2921AE71E00108EFDF04DFA8C944BEFB7B8EF45344F18845AE445AB250E734AA04DB94

Function 004A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004A2840

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 32d6e3762ba7350183a8e24eaf63ea573b5a21e05bf2005e2b599879745df4f7
Instruction ID: db56252bdc6e01d2df789c08ab52efa053a809606eb9348d55a1efcbf3e682fd
Opcode Fuzzy Hash: 32d6e3762ba7350183a8e24eaf63ea573b5a21e05bf2005e2b599879745df4f7
Instruction Fuzzy Hash: 6A212735204510BFD7149B18C944FAA7B95EF56328F14421EF4268B2D2C7B9FC82C7D4

Function 004778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00478D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?), ref: 00478D8C
Part of subcall function 00478D7D: lstrcpyW.KERNEL32(00000000,?,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00478DB2
Part of subcall function 00478D7D: lstrcmpiW.KERNEL32(00000000,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?), ref: 00478DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477923
lstrcpyW.KERNEL32(00000000,?,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477984

Strings

cdecl, xrefs: 0047797B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f088ef0b20140a2920df60d82f96d4f775c420255339f66b4046683a73aa5bb5
Instruction ID: f817beb4e83c21496eaef826c97270e96265de037aa7a0ba54ec5e5f834742d1
Opcode Fuzzy Hash: f088ef0b20140a2920df60d82f96d4f775c420255339f66b4046683a73aa5bb5
Instruction Fuzzy Hash: 961106BA201201ABDB259F35D844EBB77A9FF95354B90802FF90AC7364EB359801C799

Function 004A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0048B7AD,00000000), ref: 004A7D6B

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4d116b3a2b0ef00409dc8062ed860a11a21c4d6f944aa111f0220a360637a86c
Instruction ID: 2ff3fdd6f282687191af6c6a1e9b2827e79318cc6051e5ebe701b8a412397121
Opcode Fuzzy Hash: 4d116b3a2b0ef00409dc8062ed860a11a21c4d6f944aa111f0220a360637a86c
Instruction Fuzzy Hash: 2711D271604664AFCB209F28CC44EAA3BA4BF46360B154325F835CB2F0D7349D11CB48

Function 004A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004A56BB
_wcslen.LIBCMT ref: 004A56CD
_wcslen.LIBCMT ref: 004A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004A5816

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 40fbca56e91c3880ad024139c5cd30f0f34810fba1066e50c22e1c13d253272d
Instruction ID: 93121e1a561321c9f23ce53c36f06316e67adc567e77f579c6c7e89628b9b1c7
Opcode Fuzzy Hash: 40fbca56e91c3880ad024139c5cd30f0f34810fba1066e50c22e1c13d253272d
Instruction Fuzzy Hash: 8111E47160060496DB20DF618D81AEF377CBF26364F10402BF905D6181EB789984CB69

Function 00441D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693c1b9348d53e0b407e5a73963cad68b971c5e093a46b6d6118ecbda7eda00f
Instruction ID: 9c390f9af195b6f70818d3e09ce3d1c66d0ad593979d0d7e4b33f55b196544e3
Opcode Fuzzy Hash: 693c1b9348d53e0b407e5a73963cad68b971c5e093a46b6d6118ecbda7eda00f
Instruction Fuzzy Hash: C101A2F2B056163EF62116796CC0F27661DDF423B8B34032BF531512E2DB78AC814178

Function 00471A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00471A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A8A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7644f6fb94bcaf4e820bbc0acd5abd0986869e14feafce7cfe9c983fb9f9b38c
Instruction ID: c9cefd1887674e26659ef604a5fb5134bf2a5a4f64c1251a1edf0bb595c37f8d
Opcode Fuzzy Hash: 7644f6fb94bcaf4e820bbc0acd5abd0986869e14feafce7cfe9c983fb9f9b38c
Instruction Fuzzy Hash: 51113C3AD01219FFEB10DBA9CD85FEDBB78EB04750F204092E604B7290D6716E50DB98

Function 0047E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0047E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0047E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0047E24D

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c104f3af63004dd52515a7bc3390fe84f3dc41de93c5742a118a384d4a9fb2ca
Instruction ID: b6a6a592197608a640e563703b85459fdc524964f18a76730567629e4bcabd6a
Opcode Fuzzy Hash: c104f3af63004dd52515a7bc3390fe84f3dc41de93c5742a118a384d4a9fb2ca
Instruction Fuzzy Hash: 9C110876A04254BBD7019BA99C45ADF7FAC9B49310F1083A6F818E7292D6748D008BA8

Function 0043D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0043CFF9,00000000,00000004,00000000), ref: 0043D218
GetLastError.KERNEL32 ref: 0043D224
__dosmaperr.LIBCMT ref: 0043D22B
ResumeThread.KERNEL32(00000000), ref: 0043D249

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 52d39bbaf73147edf9d085802b1177c033876b141600fdaad03e42d67c866e35
Instruction ID: 51834051b16dd18420ce9ff13f306668a1988137b665389d80b9f0c1e11753a7
Opcode Fuzzy Hash: 52d39bbaf73147edf9d085802b1177c033876b141600fdaad03e42d67c866e35
Instruction Fuzzy Hash: 94012632C04104BBDB105BA6EC05BAF7E68DF8A334F20126AF824921D0CF75C805C7A9

Function 0041600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
GetStockObject.GDI32(00000011), ref: 00416060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a74eaccfdf4773ea6a60f566481b17940b87a479eb4b1f57cbe54407961b4cc1
Instruction ID: ba29f56646e72325f0e0a788eb15f6c67daab6a637d514e49be6388f97691490
Opcode Fuzzy Hash: a74eaccfdf4773ea6a60f566481b17940b87a479eb4b1f57cbe54407961b4cc1
Instruction Fuzzy Hash: DE116172501549BFEF528FA49C84EEB7F69EF0D354F050116FA1456110D736DCA0DBA4

Function 00433B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00433B56

Part of subcall function 00433AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00433AD2
Part of subcall function 00433AA3: ___AdjustPointer.LIBCMT ref: 00433AED

_UnwindNestedFrames.LIBCMT ref: 00433B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00433B7C
CallCatchBlock.LIBVCRUNTIME ref: 00433BA4

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 68d22ebf473e438da906f1ad14b5d256cb04ca95e965f870ed07a3eb120ae729
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 85012932100148BBDF126E96CC42EEB7B79EF9C759F04501AFE4866121C73AE961DBA4

Function 00443073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004113C6,00000000,00000000,?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue), ref: 004430A5
GetLastError.KERNEL32(?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue,004B2290,FlsSetValue,00000000,00000364,?,00442E46), ref: 004430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue,004B2290,FlsSetValue,00000000), ref: 004430BF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 85e838e7c8c9946ee77f27aec168ce9842e41902318da09ad6c22b4c183db6d9
Instruction ID: 20370f9e5c0777ce75d17edaff14bb9f75e7d6c47a18ce68a7c3708be8396776
Opcode Fuzzy Hash: 85e838e7c8c9946ee77f27aec168ce9842e41902318da09ad6c22b4c183db6d9
Instruction Fuzzy Hash: 29012B32741222ABEB314F789C84A577F98AF06F62B200731F906E7244C725D901C6E8

Function 00477464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0047747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00477497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004774CA

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 82e96085e238b30f4895549be0b81f59032c72a1c61f9501471e776f2b5b00dc
Instruction ID: 5d4b0b2c14d54208af231344c9bde40a44e53b31e1d546870ab09c4f8815ee54
Opcode Fuzzy Hash: 82e96085e238b30f4895549be0b81f59032c72a1c61f9501471e776f2b5b00dc
Instruction Fuzzy Hash: 5111ADB1209310ABE7208F24DD48FE27FFCEB04B00F50C56AE61AD6191D7B4E904DBA9

Function 0047B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B126

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 79138d6bb3f5784e058b7eb508b89335c1e2aed42c0ca19fde1b66e9572b415d
Instruction ID: 48d7e74df17b6057cc97bd64d346efdc4ee027ff9fb537a47fbbac906ef5a239
Opcode Fuzzy Hash: 79138d6bb3f5784e058b7eb508b89335c1e2aed42c0ca19fde1b66e9572b415d
Instruction Fuzzy Hash: 86117C30E01528D7CF00AFA4EAA87EEBF78FF0A311F408096D945B2241CB3445518B99

Function 00472DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00472DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00472DD6
GetCurrentThreadId.KERNEL32 ref: 00472DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00472DE4

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1961b794c472422b4c0de5b98f74789b9ee487e4c7e277c354c126e401f34e1a
Instruction ID: b87f01c5f10060a412492a9b1b870ec1c2e0f909fe0a99c32d192a9ea3c82a0e
Opcode Fuzzy Hash: 1961b794c472422b4c0de5b98f74789b9ee487e4c7e277c354c126e401f34e1a
Instruction Fuzzy Hash: 3AE092B16412247BD7705B729C4DFEB3E6CEF43BA1F004026F109D10809AE4C841C6B4

Function 004A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00429639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296A2
Part of subcall function 00429639: BeginPath.GDI32(?), ref: 004296B9
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004A8887
LineTo.GDI32(?,?,?), ref: 004A8894
EndPath.GDI32(?), ref: 004A88A4
StrokePath.GDI32(?), ref: 004A88B2

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: eea3409c18f287947b44ebd05b5ab5a1801d7610fb28201d391157bbadf28e96
Instruction ID: 9556261b7eb524f335d09c0165836ef93800bf7b0f5930650f5c2abbaad27742
Opcode Fuzzy Hash: eea3409c18f287947b44ebd05b5ab5a1801d7610fb28201d391157bbadf28e96
Instruction Fuzzy Hash: 7CF09A36045258FADB122F94AC4DFCE3F59AF16310F408015FA01650E2CB780511CFAD

Function 004298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004298CC
SetTextColor.GDI32(?,?), ref: 004298D6
SetBkMode.GDI32(?,00000001), ref: 004298E9
GetStockObject.GDI32(00000005), ref: 004298F1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f7eb25c1e1786a791e1d19045a287f18faec2516a04ed175f5ca662420be32dc
Instruction ID: ba928036872f7c2ef7d45635bf9db5963d2cb7e7167ecdbaa58ff43519a9b47b
Opcode Fuzzy Hash: f7eb25c1e1786a791e1d19045a287f18faec2516a04ed175f5ca662420be32dc
Instruction Fuzzy Hash: 2BE06D31344280BADB615B74BC49BE93F60EB1333AF04822AF6FA581E1C77646809F15

Function 0047162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00471634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004711D9), ref: 0047163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004711D9), ref: 00471648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004711D9), ref: 0047164F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3455ba413995880fce21473448f674a75f37527053fdd77434d96a189192f8ac
Instruction ID: fc1552233b3613aa2d6fdab28cc4cfd17764255a119102564ca2bce572a92ddd
Opcode Fuzzy Hash: 3455ba413995880fce21473448f674a75f37527053fdd77434d96a189192f8ac
Instruction Fuzzy Hash: E9E08632601211DBD7601FE49D4DBC73F7CAF56791F148829F646D9090D6384540C798

Function 0046D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0046D858
GetDC.USER32(00000000), ref: 0046D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046D882
ReleaseDC.USER32(?), ref: 0046D8A3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 206cc2fc030c076f2b7c3619b743b9ddd9b82a3a9a72c99e9cdd2e31203dea83
Instruction ID: 5cd352858558942da78eaa85d93ec0daa9dc37f8ad9d541f3266bd3bf05a2fe0
Opcode Fuzzy Hash: 206cc2fc030c076f2b7c3619b743b9ddd9b82a3a9a72c99e9cdd2e31203dea83
Instruction Fuzzy Hash: A9E01270D00204DFCB819FA1D84C6ADBFB1FB09310F108019E806E7350C73885429F49

Function 0046D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0046D86C
GetDC.USER32(00000000), ref: 0046D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046D882
ReleaseDC.USER32(?), ref: 0046D8A3

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c0d85b0cddf737debb096954d77e914dde948dd14f08f53024f61bdc02d8737b
Instruction ID: 825e38040d51ddbf8777e13db2eadb6bd739364f02a09a82e73b8fb59e16a5ab
Opcode Fuzzy Hash: c0d85b0cddf737debb096954d77e914dde948dd14f08f53024f61bdc02d8737b
Instruction Fuzzy Hash: 04E01A70C00204DFCB819FA0D8886ADBFB1BB08310B108019E80AE7350CB3899029F48

Function 00484D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00484ED4

Strings

*, xrefs: 00484E10
LPT, xrefs: 00484DFB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c87e509cb331161fb37b2c3bac06a3c720a7d7524920d60e8657f48ee3ac4208
Instruction ID: 1d94090c200c6dc0b7fed4ee2d11222909032772910f6fb92928970a3701b455
Opcode Fuzzy Hash: c87e509cb331161fb37b2c3bac06a3c720a7d7524920d60e8657f48ee3ac4208
Instruction Fuzzy Hash: 46916075A002059FCB14EF58C484EAEBBF1AF84308F15849EE90A9F352D739ED85CB95

Function 00497771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0046569E,00000000,?,004ACC08,?,00000000,00000000), ref: 004978DD

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

CharUpperBuffW.USER32(0046569E,00000000,?,004ACC08,00000000,?,00000000,00000000), ref: 0049783B

Strings

<sM, xrefs: 004977C8

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sM
API String ID: 3544283678-3729773310
Opcode ID: f3db5a3388ff9245d280ae6737f90ae8dc5fe8fd67483ddd8dfe024b49ad6a48
Instruction ID: c92a08bf669e093a4a5771680f773d93d8dc16ad8186d56231a0307501107d1c
Opcode Fuzzy Hash: f3db5a3388ff9245d280ae6737f90ae8dc5fe8fd67483ddd8dfe024b49ad6a48
Instruction Fuzzy Hash: A2615D72924118AACF04FBA5CC91DFEB774FF14704B54412BE542A3191EF38AA85CBA9

Function 0042E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0042E1B1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 174a5b8aeed67b7b7104ae7295b0962e9bf3b50ac9712d41136d5d4e5354964e
Instruction ID: d1494864bbdaf89f30e31f60b50c8359592faf2ee6d2f9fca1b07af47b4668a6
Opcode Fuzzy Hash: 174a5b8aeed67b7b7104ae7295b0962e9bf3b50ac9712d41136d5d4e5354964e
Instruction Fuzzy Hash: BC511339600256DFDB14DF2AD0816FA7BA4EF15310F64405BE8929B390E6389D43CBAA

Function 0042F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0042F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0042F2BB

Strings

@, xrefs: 0042F2AF

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dc8d2e6aadaa68db752db86bd477804e8a53291406bff81c9315c621c7055a8e
Instruction ID: 5de2cd8dd683cedd83241b537659f01411918906c5e7ea9c5befa9025096f3bb
Opcode Fuzzy Hash: dc8d2e6aadaa68db752db86bd477804e8a53291406bff81c9315c621c7055a8e
Instruction Fuzzy Hash: A95146714087449BD320AF11DC86BAFBBF8FF85304F81885EF1D9421A5EB348569CB6A

Function 00495745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004957E0
_wcslen.LIBCMT ref: 004957EC

Strings

CALLARGARRAY, xrefs: 004957E6, 004957EB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b82296490e1d59c12e190a5a73f89ca214387288a717bb264492c4d011ff37cc
Instruction ID: fecf3f0de0c00c7a87670555f7d7806ca9bdb838620be0d1e54a475a5b7f74bc
Opcode Fuzzy Hash: b82296490e1d59c12e190a5a73f89ca214387288a717bb264492c4d011ff37cc
Instruction Fuzzy Hash: 5A41B131A001059FCF04EFAAC8818EEBBB5EF59324F20806EE505A7351D7389D81CB98

Function 0048D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0048D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0048D13A

Strings

|, xrefs: 0048D10B

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 0f42ad192cde520660dceabc2e82da7ebe21aa6c3c6d06947fb414a29ed9cbbe
Instruction ID: 4ec16e2f8a02741809843c60be763da7acbd863f6feddf6464bfc120ed63ca6c
Opcode Fuzzy Hash: 0f42ad192cde520660dceabc2e82da7ebe21aa6c3c6d06947fb414a29ed9cbbe
Instruction Fuzzy Hash: 7C315D71D01209ABCF15EFA5CC85AEF7FB9FF08304F00001AF815A6261DB39AA56CB58

Function 004A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004A365C

Strings

static, xrefs: 004A35BC

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1f71df5a5a77e6e7771f92438353676df90a110b90d831d3826a04c599156710
Instruction ID: 8937a241c43aba85c805cb7b0db8d41b42f9b532453bcbb288420416fe032ca8
Opcode Fuzzy Hash: 1f71df5a5a77e6e7771f92438353676df90a110b90d831d3826a04c599156710
Instruction Fuzzy Hash: 7D319071500204AEDB20DF68DC80EFB73A9FF59724F10861EF8A597290DA39ED81D768

Function 004A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004A4634

Strings

', xrefs: 004A458E

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f25b8ee910870c299010f727b1a0761f46c2517f703832a08c5d93b4dc2b909a
Instruction ID: 278866432a75f6133ca306e8ddf808b26519ac4dd7dbd476b3541e700e7534b6
Opcode Fuzzy Hash: f25b8ee910870c299010f727b1a0761f46c2517f703832a08c5d93b4dc2b909a
Instruction Fuzzy Hash: 39311B74E01209AFDB14CF69C990BDE7BB5FF9A300F14406AEA059B391D7B4A941CF94

Function 004A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A3287

Strings

Combobox, xrefs: 004A3249

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b1d59199b9493c6c8e63c270eb6c027d4a14f9ca47bf8893780fb42ba3ea9825
Instruction ID: 54686100568eec7a8c935302bead1e7db38eb0012482e362aaae7e6dfa3c28c5
Opcode Fuzzy Hash: b1d59199b9493c6c8e63c270eb6c027d4a14f9ca47bf8893780fb42ba3ea9825
Instruction Fuzzy Hash: EF1193722002086FEF119E94DC81FAB3B5AEB663A5F10416AF9149B290E6399D518764

Function 004A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
Part of subcall function 0041600E: GetStockObject.GDI32(00000011), ref: 00416060
Part of subcall function 0041600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

GetWindowRect.USER32(00000000,?), ref: 004A377A
GetSysColor.USER32(00000012), ref: 004A3794

Strings

static, xrefs: 004A3757

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e85d33f2f1c8c52e90ed52269ce52bcf9719eb891b3c35dd2b9530ef3ea4f1b7
Instruction ID: bdd8f7fc03df8967f961e44d2b56473a3d04c898315fbc28adba98d6e1c52ab1
Opcode Fuzzy Hash: e85d33f2f1c8c52e90ed52269ce52bcf9719eb891b3c35dd2b9530ef3ea4f1b7
Instruction Fuzzy Hash: D3116AB6610209AFDF00DFA8CC45EFA7BF8FB19304F004529F955E2250E739E8519B64

Function 0048CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0048CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0048CDA6

Strings

<local>, xrefs: 0048CD66

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4afbfe6e8ee70762d17c05ffac33ec09628ccfd59cf3e82305d0ced5c9b477a6
Instruction ID: 19456566e32879ac0b5af74dc50621a8bdbcddc167b6e4dcd556ac2dc9d8c7df
Opcode Fuzzy Hash: 4afbfe6e8ee70762d17c05ffac33ec09628ccfd59cf3e82305d0ced5c9b477a6
Instruction Fuzzy Hash: 7A11E3712416327AD7246B668CC4EEBBEE8EB127A4F004637B10983180D7789841D7F4

Function 004A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004A34BA

Strings

edit, xrefs: 004A348F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4e3cd975b0a13c5e1b44f130cbb2c8e140051d1bd924939cc63ceb11bdba65cd
Instruction ID: a6e0907f39db4a5a7b6c3bb6136229ef838c7ab2d80f2b8e05752251d133655b
Opcode Fuzzy Hash: 4e3cd975b0a13c5e1b44f130cbb2c8e140051d1bd924939cc63ceb11bdba65cd
Instruction Fuzzy Hash: 9611C471100104AFEB118E64DC80EFB3B69EF2A379F504325F960972D0D739DC519B58

Function 00476C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

CharUpperBuffW.USER32(?,?,?), ref: 00476CB6
_wcslen.LIBCMT ref: 00476CC2

Strings

STOP, xrefs: 00476CBC, 00476CC1

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 28679206a62af0a6341246020714314981fdf7c4775266c18473adb34a187ebb
Instruction ID: fe879a97793a3b7b280228da589abbb9b2d4c344b4264b584bd2dda403f9af9e
Opcode Fuzzy Hash: 28679206a62af0a6341246020714314981fdf7c4775266c18473adb34a187ebb
Instruction Fuzzy Hash: 660148326109268ACB219FBDDC809FF33A6EA60314702492AE85692280EB39D940C648

Function 00471CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00471D4C

Strings

ListBox, xrefs: 00471D16
ComboBox, xrefs: 00471CEB

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 754bd2daca0ae118a86f4789fe8cf7d4a8e1b534b7b5685d598d8ad6ccd6b750
Instruction ID: 914823559c697b7bf5af6e385ce19973813a0a27070786d89d12d907195b4341
Opcode Fuzzy Hash: 754bd2daca0ae118a86f4789fe8cf7d4a8e1b534b7b5685d598d8ad6ccd6b750
Instruction Fuzzy Hash: E2012831600214ABCB24EFA8CC61DFF7368EB02394B10451FF866573D1EE3869088AA8

Function 00471BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00471C46

Strings

ListBox, xrefs: 00471C10
ComboBox, xrefs: 00471BE5

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4c5d420a037254e331186d5a6b6747f452be9085ff02c8fc159ab0cf92dde320
Instruction ID: 11eca5a5cf8bca3fd7a44a9eab4ff858f99e890d3ed6015f3b0095c26d1f9fdd
Opcode Fuzzy Hash: 4c5d420a037254e331186d5a6b6747f452be9085ff02c8fc159ab0cf92dde320
Instruction Fuzzy Hash: 5A01FC717801046ECB15EBD4C962AFF77A89B11380F20001FE90B772D1EE289E08D6BD

Function 00471C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00471CC8

Strings

ListBox, xrefs: 00471C94
ComboBox, xrefs: 00471C69

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 78fc446232209b0b3c7e05bd25b074cdb5fa567e49b447faa858cc3da8dc3a8a
Instruction ID: 2ac1804088f680de8ca56071237e32e4dc760bc0a5e2c22bd6785422de5ffd33
Opcode Fuzzy Hash: 78fc446232209b0b3c7e05bd25b074cdb5fa567e49b447faa858cc3da8dc3a8a
Instruction Fuzzy Hash: ED01DB717801146BCB15EBD5CA12AFF77A89B11384F14401BB84673391EA289F08D6BD

Function 0042A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0042A529

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Strings

3yF, xrefs: 0042A545, 0042A54D, 0042A552
,%N, xrefs: 0042A509

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%N$3yF
API String ID: 2551934079-1307360129
Opcode ID: 7b2f2f27f5562ce8b3f0f84e7b84a4e513193e90cb91a220e176ecfec074d2a4
Instruction ID: 418cc78926548de2aaadc308080e2dde2569313f4241651e4a3aa4fbcfa0507b
Opcode Fuzzy Hash: 7b2f2f27f5562ce8b3f0f84e7b84a4e513193e90cb91a220e176ecfec074d2a4
Instruction Fuzzy Hash: 8B014C3270012067C500F769F967A9E73649B09715F90006FFD025B2C3DE9CAD818A8F

Function 00471D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00471DD3

Strings

ListBox, xrefs: 00471DA0
ComboBox, xrefs: 00471D75

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d89a502856e5c39345818e1652a6763f8d1621af43f45de5698e166956a836ad
Instruction ID: 2df90902ee7775ed1b6f2547434549fadf35ecf2c0f6341087b614a88b0ce741
Opcode Fuzzy Hash: d89a502856e5c39345818e1652a6763f8d1621af43f45de5698e166956a836ad
Instruction Fuzzy Hash: 09F0FE71B5021466C714F7A5CC62BFF7768AB01344F04091BF866632D1DE786D08866C

Function 004A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004E3018,004E305C), ref: 004A81BF
CloseHandle.KERNEL32 ref: 004A81D1

Strings

\0N, xrefs: 004A818A

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0N
API String ID: 3712363035-3569702050
Opcode ID: 60acf8a30cfbb372649baab865151f6d3e172417c6cf7604e4b4697a06d41dfd
Instruction ID: ac006691daa3690efdf5ddb45997eb7ada6350a0a05ec75d14e756c896bc5d97
Opcode Fuzzy Hash: 60acf8a30cfbb372649baab865151f6d3e172417c6cf7604e4b4697a06d41dfd
Instruction Fuzzy Hash: 3DF054B1640340BAE6616F616C89FB73A5CDB05756F004475BF08DA1A3D6798E0083BC

Function 0049747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00497493
_wcslen.LIBCMT ref: 004974B9

Strings

3, 3, 16, 1, xrefs: 00497483

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 1cde1e7e7372e767e44e90f64e3df7da0352d4813d922a60028896fabef41036
Instruction ID: 90c704d3f70c523181b90308de5ed625ea18abe4a02a594f8ea51ce15fdf8812
Opcode Fuzzy Hash: 1cde1e7e7372e767e44e90f64e3df7da0352d4813d922a60028896fabef41036
Instruction Fuzzy Hash: 1EE02B42224220149731127B9CC1BBF5F89CFCD7A0B14283FF985C2367EA9C9D9193A8

Function 00470B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00470B23

Strings

AutoIt, xrefs: 00470B17
Error allocating memory., xrefs: 00470B1C

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 10d667fa3f7ba39cd25d13b3e0767279dab750e15cef08508a50e080c8a3c4ca
Instruction ID: a42289d3ac2214fb02ac44b21cf6d6b90d49e3f233e2d72406c7fd7d07a05a55
Opcode Fuzzy Hash: 10d667fa3f7ba39cd25d13b3e0767279dab750e15cef08508a50e080c8a3c4ca
Instruction Fuzzy Hash: A9E0D83134431826D21037957C43FCA7A848F06B24F60447FF758555C38FE9649046ED

Function 00430D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0042F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00430D71,?,?,?,0041100A), ref: 0042F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0041100A), ref: 00430D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0041100A), ref: 00430D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00430D7F

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2c39a0950ae133ec544b63240841dce21304ca243dc62553b66265d6e6fb363c
Instruction ID: fed07d5464822113cbf13297c14df28a0f1cf339b4b02f850a8d5e0c6761e53d
Opcode Fuzzy Hash: 2c39a0950ae133ec544b63240841dce21304ca243dc62553b66265d6e6fb363c
Instruction Fuzzy Hash: 7FE06D702003518BD3709FB9E4543867BE0AF19744F008A7EE486C6651DBB8E4888B99

Function 0042E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0042E3D5

Strings

8%N, xrefs: 0042E3CA
0%N, xrefs: 0042E3B5

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%N$8%N
API String ID: 1385522511-4178720944
Opcode ID: 1a65213d45a7382c7eb62b61db8cafba2428eeae527ef17dadff786e3ed0ca5f
Instruction ID: fe2658506b5da9ddbca61f73aa50c2cbb097b142b5be2b8b4e8245d42afc07b8
Opcode Fuzzy Hash: 1a65213d45a7382c7eb62b61db8cafba2428eeae527ef17dadff786e3ed0ca5f
Instruction Fuzzy Hash: 50E02031500A74DBC604D71BB7A4AAF3359AB09325BD012BFE401CB2D6DBFC5841874D

Function 00483017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0048302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00483044

Strings

aut, xrefs: 00483038

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 11c526f36e3c188cb80f89da331bfd841544ce71cd9543a0fd7ae46f3d6a4e90
Instruction ID: acc32a86bd11759125ece02d5ff1fd36f6b75eef3aca50bf20289742e6806fbc
Opcode Fuzzy Hash: 11c526f36e3c188cb80f89da331bfd841544ce71cd9543a0fd7ae46f3d6a4e90
Instruction Fuzzy Hash: 0FD05E7290032867DA60A7A4AD4EFCB3F6CDB06750F0002A2B696E2191DAB49984CAD4

Function 004A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004A236C
PostMessageW.USER32(00000000), ref: 004A2373

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Strings

Shell_TrayWnd, xrefs: 004A2365

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ef623e423fce3f4c13e426aeadd1932239369e4a202ec3da9f49cd73249a9671
Instruction ID: ac2c67cecc9d447b77a96a90aaa07736c04624373e17cb5b240df6172f4988f3
Opcode Fuzzy Hash: ef623e423fce3f4c13e426aeadd1932239369e4a202ec3da9f49cd73249a9671
Instruction Fuzzy Hash: 7BD0C972781310BAE6A4A7719C4FFC66A189B16B14F114A277755AA1D0C9A4A8018A5C

Function 004A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004A233F

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Strings

Shell_TrayWnd, xrefs: 004A2325

Memory Dump Source

Source File: 00000000.00000002.2200774287.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2200740931.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200962494.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201114024.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201163081.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: af98946ad667410fa349bd09b5931b714950f24c2c57bd5ad1c7f2d7ad803ee7
Instruction ID: fbc913306e8adad24e6f473218d0bebb824e358e1fcdcdf04cf82b47add152f2
Opcode Fuzzy Hash: af98946ad667410fa349bd09b5931b714950f24c2c57bd5ad1c7f2d7ad803ee7
Instruction Fuzzy Hash: 02D02272380310B7E6A4B731DC4FFC67E089B01B00F004A277309AA1D0C8F4A800CA0C

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2332604744.000008C375103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2332604744.000008C375103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2313199139.0000025870BFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2369226865.0000025879230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2260177451.000002587936C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2369226865.0000025879230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2332604744.000008C375103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: R"://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2260177451.000002587936C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2369727589.0000025877189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194256575.0000025877165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344733362.0000025877165000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2369727589.0000025877189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194256575.0000025877165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344733362.0000025877165000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2369727589.0000025877189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194256575.0000025877165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344733362.0000025877165000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2313199139.0000025870BFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341555075.0000025879BE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358213799.0000025879BE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2387401460.000002586E542000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369226865.0000025879230000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387731732.000002586DDE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2332604744.000008C375103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2387401460.000002586E542000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387731732.000002586DDE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2379138211.00000258785A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344272330.0000025878541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355791807.0000025878541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2384757241.000002586E608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49897 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_7f9825c2-d9a3-4c0f-8ea0-bbd91a8fc7ae.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_7f9825c2-d9a3-4c0f-8ea0-bbd91a8fc7ae.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITG2ZDK1OCCC9T9TMPV7.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YM2Y26S743S9A1YHJM0O.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre