Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1583228
MD5:	ca250df7319ac4e1a197e00fda0c4323
SHA1:	77696b82c8ed34a6b1af27761dcaebaef49128b2
SHA256:	517ec3bee4730f2b57b1e5d576d0f92749c32d6678ac7695670c7c2b4d86ae06
Tags:	176-113-115-170bookingexelev-tolstoi-comSpam-ITAuser-JAMESWT_MHT
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

random.exe (PID: 5328 cmdline: "C:\Users\user\Desktop\random.exe" MD5: CA250DF7319AC4E1A197E00FDA0C4323)

taskkill.exe (PID: 7148 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6420 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2464 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7124 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6484 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6152 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6496 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4768 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5456 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2116 -prefMapHandle 2088 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15de6b27-7044-40bf-a2c2-be7884e414f8} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f42196ed10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5044 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -parentBuildID 20230927232528 -prefsHandle 4136 -prefMapHandle 2752 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72a50f43-12cd-4721-987a-ef72a27437aa} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f4393c4910 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7664 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5048 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9f16bfd-66d4-41a9-b176-b8c89b0ae8c4} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f439d11110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: random.exe PID: 5328	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0044EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0044EAFF

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0044ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0044ED6A

Source: C:\Users\user\Desktop\random.exe

0_2_0044EAFF

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0043AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0043AA57

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00469576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00469576

System Summary

Binary is likely a compiled AutoIt script file

Source: random.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: random.exe, 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b1af3e6a-8
Source: random.exe, 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bab5128c-c
Source: random.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d1f50013-b
Source: random.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_968184ed-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026AF5F5B737 NtQuerySystemInformation,		17_2_0000026AF5F5B737
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026AF5F73072 NtQuerySystemInformation,		17_2_0000026AF5F73072

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0043D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0043D5EB

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00431201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00431201

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0043E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0043E8F6

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003DBF40	0_2_003DBF40
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00442046	0_2_00442046
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003D8060	0_2_003D8060
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00438298	0_2_00438298
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0040E4FF	0_2_0040E4FF
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0040676B	0_2_0040676B
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00464873	0_2_00464873
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003FCAA0	0_2_003FCAA0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003DCAF0	0_2_003DCAF0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003ECC39	0_2_003ECC39
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00406DD9	0_2_00406DD9
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003EB119	0_2_003EB119
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003D91C0	0_2_003D91C0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F1394	0_2_003F1394
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F1706	0_2_003F1706
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F781B	0_2_003F781B
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003D7920	0_2_003D7920
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003E997D	0_2_003E997D
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F19B0	0_2_003F19B0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F7A4A	0_2_003F7A4A
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F1C77	0_2_003F1C77
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F7CA7	0_2_003F7CA7
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0045BE44	0_2_0045BE44
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00409EEE	0_2_00409EEE
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F1F32	0_2_003F1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026AF5F5B737	17_2_0000026AF5F5B737
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026AF5F73072	17_2_0000026AF5F73072
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026AF5F7379C	17_2_0000026AF5F7379C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000026AF5F730B2	17_2_0000026AF5F730B2

Source: C:\Users\user\Desktop\random.exe	Code function: String function: 003EF9F2 appears 40 times
Source: C:\Users\user\Desktop\random.exe	Code function: String function: 003F0A30 appears 46 times
Source: C:\Users\user\Desktop\random.exe	Code function: String function: 003D9CB3 appears 31 times

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/41@73/12

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_004437B5 GetLastError,FormatMessageW,

0_2_004437B5

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_004310BF AdjustTokenPrivileges,CloseHandle,		0_2_004310BF
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_004316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004316C3

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_004451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004451CD

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0043D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0043D4DC

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0044648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0044648E

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_003D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003D42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: random.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2220838301.000002F43D54B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2247132591.000002F43D46C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: random.exe	ReversingLabs: Detection: 28%
Source: random.exe	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2116 -prefMapHandle 2088 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15de6b27-7044-40bf-a2c2-be7884e414f8} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f42196ed10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -parentBuildID 20230927232528 -prefsHandle 4136 -prefMapHandle 2752 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72a50f43-12cd-4721-987a-ef72a27437aa} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f4393c4910 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5048 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9f16bfd-66d4-41a9-b176-b8c89b0ae8c4} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f439d11110 utility
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2116 -prefMapHandle 2088 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15de6b27-7044-40bf-a2c2-be7884e414f8} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f42196ed10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -parentBuildID 20230927232528 -prefsHandle 4136 -prefMapHandle 2752 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72a50f43-12cd-4721-987a-ef72a27437aa} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f4393c4910 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5048 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9f16bfd-66d4-41a9-b176-b8c89b0ae8c4} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f439d11110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: random.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2176748315.000002F4352BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2190247212.000002F43528D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2188778950.000002F43527E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2189476175.000002F435283000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2190247212.000002F43528D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2188778950.000002F43527E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2186248840.000002F431688000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2176748315.000002F4352BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2189476175.000002F435283000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2186248840.000002F431688000.00000004.00000020.00020000.00000000.sdmp

Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_003D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003D42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_003F0A76 push ecx; ret

0_2_003F0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003EF98E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00461C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00461C41

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\random.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95959

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000026AF5F5B737 rdtsc

17_2_0000026AF5F5B737

Source: C:\Users\user\Desktop\random.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0043DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0043DBBE
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0040C2A2 FindFirstFileExW,	0_2_0040C2A2
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_004468EE FindFirstFileW,FindClose,	0_2_004468EE
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0044698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0044698F
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0043D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0043D076
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0043D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0043D3A9
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00449642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00449642
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0044979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0044979D
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00449B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00449B2B
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00445C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00445C97

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_003D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003D42DE

Source: firefox.exe, 00000010.00000002.3898001554.000001CA187BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3902486010.0000026AF5FC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3897737273.0000026AF56BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3901867410.0000022556280000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3899474389.000001CA18B14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3898131545.0000022555EEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@%(V%
Source: firefox.exe, 00000010.00000002.3898001554.000001CA187BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWaX\|
Source: firefox.exe, 00000010.00000002.3903074150.000001CA19140000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3902486010.0000026AF5FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000026AF5F5B737 rdtsc

17_2_0000026AF5F5B737

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0044EAA2 BlockInput,

0_2_0044EAA2

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00402622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00402622

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_003D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003D42DE

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_003F4CE8 mov eax, dword ptr fs:[00000030h]

0_2_003F4CE8

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00430B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00430B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00402622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00402622
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003F083F
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F09D5 SetUnhandledExceptionFilter,	0_2_003F09D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_003F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003F0C21

Source: C:\Users\user\Desktop\random.exe

0_2_00431201

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00412BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00412BA5

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0043B226 SendInput,keybd_event,

0_2_0043B226

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_004522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004522DA

Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

0_2_00430B62

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00431663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00431663

Source: random.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: random.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_003F0698 cpuid

0_2_003F0698

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0042D21C GetLocalTime,

0_2_0042D21C

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0042D27A GetUserNameW,

0_2_0042D27A

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0040B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0040B952

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_003D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003D42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: random.exe PID: 5328, type: MEMORYSTR

Source: random.exe	Binary or memory string: WIN_81
Source: random.exe	Binary or memory string: WIN_XP
Source: random.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: random.exe	Binary or memory string: WIN_XPe
Source: random.exe	Binary or memory string: WIN_VISTA
Source: random.exe	Binary or memory string: WIN_7
Source: random.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: random.exe PID: 5328, type: MEMORYSTR

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00451204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00451204
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00451806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00451806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random.exe	29%	ReversingLabs	Win32.Trojan.Generic
random.exe	31%	Virustotal		Browse
random.exe	100%	Avira	TR/ATRAPS.Gen
random.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.252.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.59.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.186.46	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.184.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000E.00000003.2220469707.000002F43D9C2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3899381751.00000225561C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2231523929.000002F43A7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2162153076.000002F432555000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252820525.000002F43C4C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161164524.000002F432555000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236633683.000002F43C4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221097322.000002F43C4B7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2098662629.000002F439823000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2098881287.000002F43981E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3900701544.000001CA18DC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3898466232.0000026AF59E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3902193735.0000022556403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3898466232.0000026AF5986000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3899381751.000002255618E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2237476993.000002F439C5A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2240715050.000002F433466000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241205641.000002F43337B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2224905808.000002F4399EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174571948.000002F4399EA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2242360914.000002F432BB6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2174571948.000002F4399F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080312779.000002F431B6F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2245014124.000002F43ADEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237020552.000002F43ADEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253674714.000002F43ADEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217544822.000002F43ADEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277427985.000002F43ADEE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2277018354.000002F43D432000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2175495591.000002F43967A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2188252194.000002F433FE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2079216932.000002F431B38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077947322.000002F431B1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217544822.000002F43ADBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211925594.000002F433FE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080434826.000002F431B8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2079490913.000002F431B53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245014124.000002F43ADBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2075304924.000002F431900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158995815.000002F433FE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237020552.000002F43AD7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080312779.000002F431B6F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2234020566.000002F4344BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2079216932.000002F431B38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077947322.000002F431B1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2079490913.000002F431B53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2075304924.000002F431900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080312779.000002F431B6F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2254042747.000002F439DD9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2175495591.000002F43967A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2277148581.000002F43CFC9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2160057729.000002F43AEEB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2237476993.000002F439C5A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2186446946.000002F431726000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204727048.000002F43173B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2237476993.000002F439C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3898466232.0000026AF5903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3899381751.000002255610C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2159770311.000002F4325AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2254557798.000002F439CE4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2237476993.000002F439C5A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2277299854.000002F43CF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252220236.000002F43CF59000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3899381751.00000225561C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2234761898.000002F434359000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249621695.000002F434359000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2159770311.000002F4325AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161472975.000002F4325AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2277018354.000002F43D432000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2240171901.000002F433728000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2242079840.000002F43321F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2246752191.000002F43D4D5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3900701544.000001CA18DC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3898466232.0000026AF59E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3902193735.0000022556403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3900701544.000001CA18DC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3898466232.0000026AF59E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3902193735.0000022556403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2240715050.000002F433466000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238643125.000002F439686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3898466232.0000026AF5912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3899381751.0000022556113000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2237476993.000002F439C5A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/0SS3	firefox.exe, 0000000E.00000003.2226068770.000018510E804000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3901648754.0000022556270000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000012.00000002.3899381751.000002255618E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2175495591.000002F43967A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2254557798.000002F439CEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237476993.000002F439CEF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2161472975.000002F4325AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2247773646.000002F4397A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2098847191.000002F4398AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160183443.000002F43368D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175455078.000002F4396DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2099296488.000002F4398AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115342371.000002F433E8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2154878320.000002F43948D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187186133.000002F43BEBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280855181.000002F432635000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2087446473.000002F4319D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183632552.000002F4319C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244010032.000002F432686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242839115.000002F43283D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160057729.000002F43AEEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194764149.000002F4398D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174787278.000002F4397CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212463023.000002F433F1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186017474.000002F433EFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2099626816.000002F4398E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194918154.000002F43988E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212195091.000002F433F66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2234020566.000002F4344BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2234020566.000002F4344BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2107592736.000002F4397C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174824892.000002F4397C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2175455078.000002F4396DD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2175455078.000002F4396DD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2254557798.000002F439CEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237476993.000002F439CEF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2098881287.000002F43981E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2235178032.000002F43413D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239052812.000002F43413D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250366634.000002F43413D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2105489399.000002F439C80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255486919.000002F439C88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237476993.000002F439C80000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2216254767.000002F43A757000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2161472975.000002F4325AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2277651227.000002F43A7C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173349228.000002F43A7C2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2256877207.000002F4348B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248040738.000002F4348B5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2159770311.000002F4325AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161472975.000002F4325AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161767328.000002F4325BF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2186446946.000002F431726000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204727048.000002F43173B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2277299854.000002F43CF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252220236.000002F43CF59000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2242839115.000002F4328E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3898949553.000001CA18890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3901128720.0000026AF5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3899050660.0000022555F70000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2237476993.000002F439C5A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583228
Start date and time:	2025-01-02 09:10:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/41@73/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 51 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.235.50.64, 44.233.129.8, 54.188.58.34, 2.22.61.56, 2.22.61.59, 142.250.184.238, 142.250.186.138, 172.217.16.202, 172.217.23.110, 184.28.90.27, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse
	ReJIL-_Document_No._2500015903.msg	Get hash	malicious	Unknown	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	NetFxRepairTools.msi	Get hash	malicious	Quasar	Browse
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	ReJIL-_Document_No._2500015903.msg	Get hash	malicious	Unknown	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse
	tightvnc-2.8.59-gpl-setup-64bit.msi	Get hash	malicious	Unknown	Browse
	kjDPynh9vQ.exe	Get hash	malicious	Credential Flusher	Browse
	kjDPynh9vQ.exe	Get hash	malicious	Credential Flusher	Browse
	6eftz6UKDm.exe	Get hash	malicious	Credential Flusher	Browse
	nmy4mJXEaz.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse
34.149.100.209	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse
	https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3d	Get hash	malicious	HTMLPhisher	Browse
	ReJIL-_Document_No._2500015903.msg	Get hash	malicious	Unknown	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	NetFxRepairTools.msi	Get hash	malicious	Quasar	Browse
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	ReJIL-_Document_No._2500015903.msg	Get hash	malicious	Unknown	Browse	93.184.215.14
	NetFxRepairTools.msi	Get hash	malicious	Quasar	Browse	93.184.215.14
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	ghostspider.7z	Get hash	malicious	Unknown	Browse	93.184.215.14
twitter.com	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3d	Get hash	malicious	HTMLPhisher	Browse	104.244.42.193
	ReJIL-_Document_No._2500015903.msg	Get hash	malicious	Unknown	Browse	104.244.42.65
star-mini.c10r.facebook.com	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	157.240.252.35
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	157.240.0.35
	FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msg	Get hash	malicious	Unknown	Browse	157.240.253.35
	http://knoxoms.com	Get hash	malicious	Unknown	Browse	157.240.252.35
	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	157.240.253.35
	https://tepco-jp-lin;.%5Dshop/co/tepco	Get hash	malicious	Unknown	Browse	157.240.252.35
	EFT Payment_Transcript__Survitecgroup.html	Get hash	malicious	Unknown	Browse	157.240.252.35
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	34.117.77.79
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	34.117.77.79
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	34.118.114.163
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	34.117.61.150
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	34.67.61.212
FASTLYUS	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	151.101.66.137
	01012025.html	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	185.199.109.133
	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	151.101.193.44
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	151.101.65.44
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	151.101.129.44
	ipmsg5.6.18_installer.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
ATGS-MMD-ASUS	gZY58wycW0.exe	Get hash	malicious	GhostRat	Browse	34.1.142.70
	armv5l.elf	Get hash	malicious	Unknown	Browse	33.8.247.170
	armv7l.elf	Get hash	malicious	Unknown	Browse	56.161.195.74
	armv4l.elf	Get hash	malicious	Unknown	Browse	48.248.220.219
	armv6l.elf	Get hash	malicious	Unknown	Browse	48.15.174.221
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	57.26.56.105
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	48.195.166.175
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	34.167.142.96
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	32.159.121.64
ATGS-MMD-ASUS	gZY58wycW0.exe	Get hash	malicious	GhostRat	Browse	34.1.142.70
	armv5l.elf	Get hash	malicious	Unknown	Browse	33.8.247.170
	armv7l.elf	Get hash	malicious	Unknown	Browse	56.161.195.74
	armv4l.elf	Get hash	malicious	Unknown	Browse	48.248.220.219
	armv6l.elf	Get hash	malicious	Unknown	Browse	48.15.174.221
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	57.26.56.105
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	48.195.166.175
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	34.167.142.96
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	32.159.121.64

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	ReJIL-_Document_No._2500015903.msg	Get hash	malicious	Unknown	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	NetFxRepairTools.msi	Get hash	malicious	Quasar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	NetFxRepairTools.msi	Get hash	malicious	Quasar	Browse
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse
	nM0h824cc3.exe	Get hash	malicious	Credential Flusher	Browse
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse
	ghostspider.7z	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_31595935-f0fa-4675-bc23-066213b616a0.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.18302375753949
Encrypted:	false
SSDEEP:	192:YKMXwytcbhbVbTbfbRbObtbyEl7norfJA6wnSrDtTkd/S0n:YPZcNhnzFSJIrGjnSrDhkd/dn
MD5:	3491C8515CD1832C4BD2CCB2CD75FDED
SHA1:	3E5040114E4D24D4863A65CF4C458FF828FDA3A0
SHA-256:	03F4CEC3122AC403961082B4F1B00232A9CCFCD29AA97D88ED00C920A3F1AA36
SHA-512:	F89F31C7911C580A0F1A395B8E504F7CBC56582F9FF4BB354FE520FAF55ED03F8786ED1095AF5D3D71E586191FF23A43F8CD5F557B7DD40B7C66A59E01B6BF22
Malicious:	false
Preview:	{"type":"uninstall","id":"31595935-f0fa-4675-bc23-066213b616a0","creationDate":"2025-01-02T09:20:10.877Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_31595935-f0fa-4675-bc23-066213b616a0.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.18302375753949
Encrypted:	false
SSDEEP:	192:YKMXwytcbhbVbTbfbRbObtbyEl7norfJA6wnSrDtTkd/S0n:YPZcNhnzFSJIrGjnSrDhkd/dn
MD5:	3491C8515CD1832C4BD2CCB2CD75FDED
SHA1:	3E5040114E4D24D4863A65CF4C458FF828FDA3A0
SHA-256:	03F4CEC3122AC403961082B4F1B00232A9CCFCD29AA97D88ED00C920A3F1AA36
SHA-512:	F89F31C7911C580A0F1A395B8E504F7CBC56582F9FF4BB354FE520FAF55ED03F8786ED1095AF5D3D71E586191FF23A43F8CD5F557B7DD40B7C66A59E01B6BF22
Malicious:	false
Preview:	{"type":"uninstall","id":"31595935-f0fa-4675-bc23-066213b616a0","creationDate":"2025-01-02T09:20:10.877Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	dropped
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1WI20H3RJUTZRLG3VI8R.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.305703967732538
Encrypted:	false
SSDEEP:	48:Hd7MfbUgdwSMzVd7Mfl6BdwScvd7MfFadwS+1:ZM3yMtaKMNKw
MD5:	E0A8BABD22D99303C9BD4BAC3D793E97
SHA1:	35B59580DDA6602023ED864FD595293B14E8C96F
SHA-256:	96F06296A85349F7C6B34570B9E146BA32A690A424ACF5B0EEAE12877654A901
SHA-512:	7EEC8439E5A1587B20DFA94743BAF9CD6136204E74BD34F8C6C73672DB27DB59BEDBEF53F9A053DA4B4354C1EBE4628F1AE91827650614B225F91D7DDDEF1CDA
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......Q....\..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"ZsA....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W"ZsA............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W"ZsA..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........5.d`.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.305703967732538
Encrypted:	false
SSDEEP:	48:Hd7MfbUgdwSMzVd7Mfl6BdwScvd7MfFadwS+1:ZM3yMtaKMNKw
MD5:	E0A8BABD22D99303C9BD4BAC3D793E97
SHA1:	35B59580DDA6602023ED864FD595293B14E8C96F
SHA-256:	96F06296A85349F7C6B34570B9E146BA32A690A424ACF5B0EEAE12877654A901
SHA-512:	7EEC8439E5A1587B20DFA94743BAF9CD6136204E74BD34F8C6C73672DB27DB59BEDBEF53F9A053DA4B4354C1EBE4628F1AE91827650614B225F91D7DDDEF1CDA
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......Q....\..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"ZsA....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W"ZsA............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W"ZsA..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........5.d`.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.305703967732538
Encrypted:	false
SSDEEP:	48:Hd7MfbUgdwSMzVd7Mfl6BdwScvd7MfFadwS+1:ZM3yMtaKMNKw
MD5:	E0A8BABD22D99303C9BD4BAC3D793E97
SHA1:	35B59580DDA6602023ED864FD595293B14E8C96F
SHA-256:	96F06296A85349F7C6B34570B9E146BA32A690A424ACF5B0EEAE12877654A901
SHA-512:	7EEC8439E5A1587B20DFA94743BAF9CD6136204E74BD34F8C6C73672DB27DB59BEDBEF53F9A053DA4B4354C1EBE4628F1AE91827650614B225F91D7DDDEF1CDA
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......Q....\..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"ZsA....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W"ZsA............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W"ZsA..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........5.d`.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FPWXM17X5LO482VEKOVX.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.305703967732538
Encrypted:	false
SSDEEP:	48:Hd7MfbUgdwSMzVd7Mfl6BdwScvd7MfFadwS+1:ZM3yMtaKMNKw
MD5:	E0A8BABD22D99303C9BD4BAC3D793E97
SHA1:	35B59580DDA6602023ED864FD595293B14E8C96F
SHA-256:	96F06296A85349F7C6B34570B9E146BA32A690A424ACF5B0EEAE12877654A901
SHA-512:	7EEC8439E5A1587B20DFA94743BAF9CD6136204E74BD34F8C6C73672DB27DB59BEDBEF53F9A053DA4B4354C1EBE4628F1AE91827650614B225F91D7DDDEF1CDA
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......Q....\..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"ZsA....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W"ZsA............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W"ZsA..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........5.d`.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925835515466159
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNKX9Yxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6Lpa8P
MD5:	FB022705EA71FE4D783386B46C22F713
SHA1:	D176CAF7123DE3D7DDE9F70F652DCE2740B8CAED
SHA-256:	5CDB3D4FB6940B4CFD0997A84FC3249FAEDD653867951CE546122716E1CF6B80
SHA-512:	396D4C176E756B86516F11078A8C092379EE67A0B9A7113A0ACA03133882DAD4D32A26A5CAA3DB80CF207729DC1E2CE10E1C942B9456B0493DFDFEC3EC7AA223
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925835515466159
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNKX9Yxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6Lpa8P
MD5:	FB022705EA71FE4D783386B46C22F713
SHA1:	D176CAF7123DE3D7DDE9F70F652DCE2740B8CAED
SHA-256:	5CDB3D4FB6940B4CFD0997A84FC3249FAEDD653867951CE546122716E1CF6B80
SHA-512:	396D4C176E756B86516F11078A8C092379EE67A0B9A7113A0ACA03133882DAD4D32A26A5CAA3DB80CF207729DC1E2CE10E1C942B9456B0493DFDFEC3EC7AA223
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: rpDOUhuBC5.exe, Detection: malicious, Browse Filename: rpDOUhuBC5.exe, Detection: malicious, Browse Filename: cMTqzvmx9u.exe, Detection: malicious, Browse Filename: NetFxRepairTools.msi, Detection: malicious, Browse Filename: nM0h824cc3.exe, Detection: malicious, Browse Filename: nM0h824cc3.exe, Detection: malicious, Browse Filename: gTU8ed4669.exe, Detection: malicious, Browse Filename: gTU8ed4669.exe, Detection: malicious, Browse Filename: ghostspider.7z, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333359575325823
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki2:DLhesh7Owd4+ji2
MD5:	7D81B83D1E19CC998541760DF542F8B4
SHA1:	8A8F7BD48C1AC9977580540DD4B19B5793C4CF5B
SHA-256:	5639886BD5A3470C0AA927327842CB382CBCB4A092F01197FDBBEF63D510639C
SHA-512:	C1BDB8317448231CFED7620D9C1E4BE1BD4846A57397A875C3AC437BCFD2293F5E7D413DB7D08A004BBB0C8AC014C762403B74435E294318A73069367F044966
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039414518880925786
Encrypted:	false
SSDEEP:	3:GHlhVyRUJXZ9odlhVyRUJXZlSl8a9//Ylll4llqlyllel4lt:G7VymJJihVymJJAL9XIwlio
MD5:	10AA3AAE237348D0AAEF97173D48574D
SHA1:	96D8D5CBD4169D28B1FFBA26CB4D3D234DFCDD6D
SHA-256:	FE16BA4EBAE8A44704DF335A0BF2F734D4444512D6F04B6CD1EF848BA6B88AB5
SHA-512:	BBB353ADE14A5656E0AC17E7BBE4F8674079CD734FAFCB85579C805EB58F17F8A7D992B9038A391824585EA72E23C9DA86D859A1E217F419839FDF01842E488D
Malicious:	false
Preview:	..-......................7...........9,....v.E..-......................7...........9,....v.E........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.13387809120316838
Encrypted:	false
SSDEEP:	24:K5/fkOJLxsZ+82zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaD2mLX:m/MgQd2VJCXs4qLWeJa1Vym8kSZk
MD5:	750D3D3A89C4B254D6FACA4A79D64B57
SHA1:	2C1DE771CDDB13D62781A06292456505A045CCEF
SHA-256:	7096B78D7BD37B5159ED26AAE6576F959FA00E0C463B7EB0B66BD9BCA6EB8914
SHA-512:	1CC5ACCA7866B2723AF89E87AD2D52F721E36686B9FE3B87B8F2ED2BE39171931053844B5184EBD70005BEBAD190088E4C840704AE70C2ACB35B1CD04BF6E93C
Malicious:	false
Preview:	7....-................9,....h_}..............9,.G.4..,................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.479621492383194
Encrypted:	false
SSDEEP:	192:xMPVgRMnEnPOeRnLYbBp62kJ0aX+UN6SEXKAbNp15RHWNBw8dNSl:dDewJUp1BLHEwa0
MD5:	8941382A12F5691937F4993B43CEE856
SHA1:	BDBA45AD4FC481E923365FE8BEC858A7F8E7AFF3
SHA-256:	60B76C47610FDC2BA9EB288901ED8C43DDC647FD5BFCC04AFC63A87F2BB2C7C7
SHA-512:	36CF48EB5F6F0D0D5C940522C51AFEE9B519ED3AEF2B40BF1898D521BDF532D1C587E3C3BDD462DF5483EF2B7F579F18C11784A33C4013ABCC4815229BD84801
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1735809581);..user_pref("app.update.lastUpdateTime.background-update-timer", 1735809581);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1735809581);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173580

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.479621492383194
Encrypted:	false
SSDEEP:	192:xMPVgRMnEnPOeRnLYbBp62kJ0aX+UN6SEXKAbNp15RHWNBw8dNSl:dDewJUp1BLHEwa0
MD5:	8941382A12F5691937F4993B43CEE856
SHA1:	BDBA45AD4FC481E923365FE8BEC858A7F8E7AFF3
SHA-256:	60B76C47610FDC2BA9EB288901ED8C43DDC647FD5BFCC04AFC63A87F2BB2C7C7
SHA-512:	36CF48EB5F6F0D0D5C940522C51AFEE9B519ED3AEF2B40BF1898D521BDF532D1C587E3C3BDD462DF5483EF2B7F579F18C11784A33C4013ABCC4815229BD84801
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1735809581);..user_pref("app.update.lastUpdateTime.background-update-timer", 1735809581);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1735809581);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173580

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\6073edbf-05f2-42a2-8d8c-b2501ede281e (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.936512482432929
Encrypted:	false
SSDEEP:	12:YZFg2aROZQwIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YQOCwSlCOlZGV1AQIWZcy6ZXvx
MD5:	605CB25C218D73922A22DCE63D9F4F87
SHA1:	A3D1C3FA57207ED9939E295ED8FC2D9549D85397
SHA-256:	E8F7040EA09BDDE48D9CD450CF54C4B044E148CDDCD1333F7EE08E512E89B4C2
SHA-512:	2B85F74CA866D1455C1A6D74F8115AA494347A2310BF71ACBB9FB4D1498BD0BA6F7C99A1B7AF6C769DB5D485F3AF829383FD1DBD00D42C287DC97D4D2E2CB904
Malicious:	false
Preview:	{"type":"health","id":"6073edbf-05f2-42a2-8d8c-b2501ede281e","creationDate":"2025-01-02T09:20:11.245Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\6073edbf-05f2-42a2-8d8c-b2501ede281e.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.936512482432929
Encrypted:	false
SSDEEP:	12:YZFg2aROZQwIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YQOCwSlCOlZGV1AQIWZcy6ZXvx
MD5:	605CB25C218D73922A22DCE63D9F4F87
SHA1:	A3D1C3FA57207ED9939E295ED8FC2D9549D85397
SHA-256:	E8F7040EA09BDDE48D9CD450CF54C4B044E148CDDCD1333F7EE08E512E89B4C2
SHA-512:	2B85F74CA866D1455C1A6D74F8115AA494347A2310BF71ACBB9FB4D1498BD0BA6F7C99A1B7AF6C769DB5D485F3AF829383FD1DBD00D42C287DC97D4D2E2CB904
Malicious:	false
Preview:	{"type":"health","id":"6073edbf-05f2-42a2-8d8c-b2501ede281e","creationDate":"2025-01-02T09:20:11.245Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.352327376993031
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSyILXnIrBC/pnxQwRcWT5sKmgbR3eHVpjO+fvamhujJwO2c0TiVmcj:GUpOx2wanRcoeg93erjxfv4Jwc38m
MD5:	859E78BA1A9E9885804F61C7145977BD
SHA1:	88C5F1E7B3360752AB322F3B2CDE3300830EC467
SHA-256:	6E5EC74BE4E6B952311BBDDDE15FF8A3F55DAD1C852219748599F79F8D1EBDAB
SHA-512:	1DCAB7B494E52020F9A50383F2C339143FD1A903B5D77D514B230240DDE54FF23A3B08B380310653B3164F24CEB1CBF11CBA1964CC5AD93AF5777471774555B5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{6fb024b4-f4b2-4ad0-905e-187d072d2702}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1735809584780,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P50366...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...58640,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.352327376993031
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSyILXnIrBC/pnxQwRcWT5sKmgbR3eHVpjO+fvamhujJwO2c0TiVmcj:GUpOx2wanRcoeg93erjxfv4Jwc38m
MD5:	859E78BA1A9E9885804F61C7145977BD
SHA1:	88C5F1E7B3360752AB322F3B2CDE3300830EC467
SHA-256:	6E5EC74BE4E6B952311BBDDDE15FF8A3F55DAD1C852219748599F79F8D1EBDAB
SHA-512:	1DCAB7B494E52020F9A50383F2C339143FD1A903B5D77D514B230240DDE54FF23A3B08B380310653B3164F24CEB1CBF11CBA1964CC5AD93AF5777471774555B5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{6fb024b4-f4b2-4ad0-905e-187d072d2702}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1735809584780,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P50366...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...58640,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.352327376993031
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSyILXnIrBC/pnxQwRcWT5sKmgbR3eHVpjO+fvamhujJwO2c0TiVmcj:GUpOx2wanRcoeg93erjxfv4Jwc38m
MD5:	859E78BA1A9E9885804F61C7145977BD
SHA1:	88C5F1E7B3360752AB322F3B2CDE3300830EC467
SHA-256:	6E5EC74BE4E6B952311BBDDDE15FF8A3F55DAD1C852219748599F79F8D1EBDAB
SHA-512:	1DCAB7B494E52020F9A50383F2C339143FD1A903B5D77D514B230240DDE54FF23A3B08B380310653B3164F24CEB1CBF11CBA1964CC5AD93AF5777471774555B5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{6fb024b4-f4b2-4ad0-905e-187d072d2702}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1735809584780,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P50366...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...58640,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029176257866898
Encrypted:	false
SSDEEP:	96:ycNMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:kTEr5NX0z3DhRe
MD5:	03D4AD229DF54297CEDF69762F211C66
SHA1:	2F6977E8AC9DCFCA57ACD0BF123D67F095A34746
SHA-256:	37F949533939F81DE405249585B1E9E513C1C2F116E6990FE5FAF021F9E7997A
SHA-512:	4772165B6A21D17CBCC524234243EEAD1820B13FC80B155FC6AA1C04DAE7E7CC85067DB631AB733A14FD626584D000902F0BF60CD1559593E7A1EDD98FD026DA
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2025-01-02T09:19:25.181Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029176257866898
Encrypted:	false
SSDEEP:	96:ycNMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:kTEr5NX0z3DhRe
MD5:	03D4AD229DF54297CEDF69762F211C66
SHA1:	2F6977E8AC9DCFCA57ACD0BF123D67F095A34746
SHA-256:	37F949533939F81DE405249585B1E9E513C1C2F116E6990FE5FAF021F9E7997A
SHA-512:	4772165B6A21D17CBCC524234243EEAD1820B13FC80B155FC6AA1C04DAE7E7CC85067DB631AB733A14FD626584D000902F0BF60CD1559593E7A1EDD98FD026DA
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2025-01-02T09:19:25.181Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.698476963939942
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	random.exe
File size:	968'192 bytes
MD5:	ca250df7319ac4e1a197e00fda0c4323
SHA1:	77696b82c8ed34a6b1af27761dcaebaef49128b2
SHA256:	517ec3bee4730f2b57b1e5d576d0f92749c32d6678ac7695670c7c2b4d86ae06
SHA512:	dffbcb6b2979c71e83cc701ca62bd7de9138c5612a7d12db4052576768558139b595eef2193eab03d307fe507fee95ad1a8fed6447edc255782eef2f42e1e98a
SSDEEP:	24576:pqDEvCTbMWu7rQYlBQcBiT6rprG8a2T7L:pTvC/MTQYxsWR7a2
TLSH:	CF259E0273D1C062FFAB92334F5AF6515BBC69260123A62F13981DB9BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67763D6B [Thu Jan 2 07:16:59 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F29AC8F79A3h
jmp 00007F29AC8F72AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F29AC8F748Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F29AC8F745Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F29AC8FA04Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F29AC8FA098h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F29AC8FA081h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x15b48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x15b48	0x15c00	69063a10dc335f51f4d64a29b9179df5	False	0.6954584231321839	data	7.143810173647267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xccca	data			1.0004959371304314
RT_GROUP_ICON	0xe95c8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe9640	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe9654	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9668	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe967c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe9758	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:11:41.414693117 CET	49710	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.414736986 CET	443	49710	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:41.414800882 CET	49710	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.419365883 CET	49710	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.419380903 CET	443	49710	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:41.880095005 CET	443	49710	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:41.880589962 CET	49710	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.888314009 CET	49710	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.888331890 CET	443	49710	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:41.888508081 CET	49710	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.888539076 CET	443	49710	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:41.889242887 CET	49711	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.889291048 CET	443	49711	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:41.891182899 CET	49710	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.891222000 CET	49711	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.892827034 CET	49711	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:41.892843008 CET	443	49711	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:42.210289955 CET	49712	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:42.210319996 CET	443	49712	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:42.215795994 CET	49712	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:42.217238903 CET	49712	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:42.217256069 CET	443	49712	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:42.347986937 CET	443	49711	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:42.348067999 CET	49711	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:42.352483034 CET	49711	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:42.352493048 CET	443	49711	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:42.352581978 CET	49711	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:42.352655888 CET	443	49711	35.190.72.216	192.168.2.5
Jan 2, 2025 09:11:42.352730036 CET	49711	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:11:42.457541943 CET	49713	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:42.457582951 CET	443	49713	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:42.460221052 CET	49714	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:42.465070009 CET	80	49714	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:42.472302914 CET	49714	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:42.472302914 CET	49713	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:42.476624012 CET	49713	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:42.476639032 CET	443	49713	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:42.476890087 CET	49714	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:42.481769085 CET	80	49714	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:42.720818043 CET	49715	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:42.720860958 CET	443	49715	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:42.729238033 CET	49715	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:42.730745077 CET	49715	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:42.730760098 CET	443	49715	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:42.734473944 CET	49716	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:42.734498978 CET	443	49716	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:42.735342979 CET	49716	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:42.736780882 CET	49716	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:42.736794949 CET	443	49716	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:42.865428925 CET	443	49712	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:42.865998983 CET	49712	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:42.866848946 CET	443	49712	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:42.866904020 CET	49712	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:42.925568104 CET	80	49714	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:42.973665953 CET	49714	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:43.102991104 CET	443	49713	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:43.103008032 CET	443	49713	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:43.103775024 CET	443	49713	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:43.106549978 CET	49713	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:43.106568098 CET	443	49713	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:43.168677092 CET	49713	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:43.203107119 CET	443	49716	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.205874920 CET	443	49715	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.205888987 CET	443	49715	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.209003925 CET	49716	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.210560083 CET	49715	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.551840067 CET	49712	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:43.551868916 CET	443	49712	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:43.552022934 CET	49712	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:43.552165031 CET	443	49712	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:43.554018021 CET	49713	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:43.554053068 CET	443	49713	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:43.554097891 CET	49713	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:43.554274082 CET	443	49713	142.250.186.46	192.168.2.5
Jan 2, 2025 09:11:43.556385994 CET	49712	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:43.556404114 CET	49713	443	192.168.2.5	142.250.186.46
Jan 2, 2025 09:11:43.558630943 CET	49715	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.558644056 CET	443	49715	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.558716059 CET	49715	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.558897018 CET	443	49715	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.559279919 CET	49718	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.559323072 CET	443	49718	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.559341908 CET	49716	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.559354067 CET	443	49716	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.559417009 CET	49716	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.559541941 CET	443	49716	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.559679031 CET	49719	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.559730053 CET	443	49719	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.559730053 CET	49715	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.559768915 CET	49716	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.559803963 CET	49718	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.561068058 CET	49718	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.561075926 CET	443	49718	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.562289953 CET	49719	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.563638926 CET	49719	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:43.563653946 CET	443	49719	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:43.585834026 CET	49720	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:43.585865974 CET	443	49720	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:43.586508036 CET	49720	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:43.586750031 CET	49720	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:43.586765051 CET	443	49720	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:43.854995012 CET	49721	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:43.855943918 CET	49714	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:43.857347965 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:43.857388020 CET	443	49722	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:43.857847929 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:43.858020067 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:43.858032942 CET	443	49722	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:43.859822989 CET	80	49721	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:43.860726118 CET	80	49714	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:43.860735893 CET	49721	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:43.860871077 CET	49721	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:43.865608931 CET	80	49721	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:43.952353954 CET	80	49714	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.012115955 CET	49721	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.020477057 CET	443	49718	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.025990009 CET	443	49719	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.027328014 CET	443	49718	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.034204960 CET	49718	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.034225941 CET	49719	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.040462017 CET	49718	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.040472031 CET	443	49718	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.040561914 CET	49718	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.040679932 CET	443	49718	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.040683985 CET	49719	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.040707111 CET	443	49719	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.040771008 CET	49719	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.040930033 CET	443	49719	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.041049004 CET	49718	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.041062117 CET	49719	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.049138069 CET	443	49720	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:44.049226046 CET	49720	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:44.052439928 CET	49720	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:44.052448034 CET	443	49720	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:44.052663088 CET	443	49720	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:44.054615021 CET	49720	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:44.054692984 CET	49720	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:44.054905891 CET	443	49720	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:44.054969072 CET	49720	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:44.059014082 CET	80	49721	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.065777063 CET	49714	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.232566118 CET	80	49721	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.232631922 CET	49721	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.309716940 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.310659885 CET	49714	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.314457893 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.315670013 CET	80	49714	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.317104101 CET	443	49722	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.317418098 CET	49714	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.317445040 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.317456007 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.320801020 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.320811033 CET	443	49722	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.321058035 CET	443	49722	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.321255922 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.322834015 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.322936058 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.322968006 CET	443	49722	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.323273897 CET	49724	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.323307037 CET	443	49724	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.323365927 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.323380947 CET	49722	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.323560953 CET	49724	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.323677063 CET	49724	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.323687077 CET	443	49724	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.326057911 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.448537111 CET	49725	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.448580027 CET	443	49725	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.450896978 CET	49726	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.451307058 CET	49725	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.452924967 CET	49725	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.452939987 CET	443	49725	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.455703020 CET	80	49726	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.457396984 CET	49726	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.706876040 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.711852074 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.721385956 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.721589088 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.726351023 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.765775919 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:44.776518106 CET	443	49724	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.783334970 CET	443	49724	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.785022020 CET	49724	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.788108110 CET	49724	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.788134098 CET	443	49724	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.788381100 CET	443	49724	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.790365934 CET	49724	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.790445089 CET	49724	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.790498972 CET	443	49724	34.160.144.191	192.168.2.5
Jan 2, 2025 09:11:44.804729939 CET	49724	443	192.168.2.5	34.160.144.191
Jan 2, 2025 09:11:44.870763063 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:44.928924084 CET	443	49725	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.929049015 CET	49725	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.933561087 CET	49725	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.933571100 CET	443	49725	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.933702946 CET	49725	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.933727026 CET	443	49725	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.934150934 CET	49729	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.934194088 CET	443	49729	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:44.934236050 CET	49725	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.935136080 CET	49729	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.936624050 CET	49729	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:44.936645031 CET	443	49729	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:45.166569948 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:45.218502998 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:45.426481009 CET	443	49729	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:45.434866905 CET	49729	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:45.439275026 CET	49729	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:45.439291954 CET	443	49729	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:45.439438105 CET	49729	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:45.439471006 CET	443	49729	34.117.188.166	192.168.2.5
Jan 2, 2025 09:11:45.450310946 CET	49726	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:45.450342894 CET	49729	443	192.168.2.5	34.117.188.166
Jan 2, 2025 09:11:45.455173016 CET	80	49726	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:45.455461979 CET	49726	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:47.311184883 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:47.316062927 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:47.406501055 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:47.459623098 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:47.688254118 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:47.693181992 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:47.782879114 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:47.829519033 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:47.995994091 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:48.001230955 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:48.091197014 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:48.145773888 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:48.856606007 CET	49732	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:48.856633902 CET	443	49732	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:48.863250017 CET	49732	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:48.865700960 CET	49732	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:48.865721941 CET	443	49732	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:48.866049051 CET	49733	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:48.866094112 CET	443	49733	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:48.866400003 CET	49733	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:48.866539955 CET	49733	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:48.866553068 CET	443	49733	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:49.012423992 CET	49734	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:49.012469053 CET	443	49734	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:49.013703108 CET	49734	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:49.015197039 CET	49734	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:49.015212059 CET	443	49734	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:49.046329021 CET	49735	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:11:49.046354055 CET	443	49735	34.149.100.209	192.168.2.5
Jan 2, 2025 09:11:49.046725035 CET	49735	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:11:49.048371077 CET	49735	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:11:49.048381090 CET	443	49735	34.149.100.209	192.168.2.5
Jan 2, 2025 09:11:49.323276997 CET	443	49733	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:49.323359013 CET	49733	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:49.324811935 CET	443	49732	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.324825048 CET	443	49732	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.328353882 CET	49732	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.339648008 CET	49733	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:49.339670897 CET	443	49733	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:49.340061903 CET	443	49733	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:49.350662947 CET	49733	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:49.350775003 CET	49733	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:49.350883961 CET	443	49733	35.244.181.201	192.168.2.5
Jan 2, 2025 09:11:49.351013899 CET	49732	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.351032972 CET	443	49732	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.351068974 CET	49732	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.351214886 CET	443	49732	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.351923943 CET	49733	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:11:49.351942062 CET	49732	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.381386042 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:49.386420012 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:49.392167091 CET	49736	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.392196894 CET	443	49736	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.392343044 CET	49736	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.393692017 CET	49736	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.393702030 CET	443	49736	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.476181030 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:49.479089022 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:49.483881950 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:49.484122038 CET	443	49734	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:49.487356901 CET	49734	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:49.503289938 CET	443	49735	34.149.100.209	192.168.2.5
Jan 2, 2025 09:11:49.503379107 CET	49735	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:11:49.521645069 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:49.574400902 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:49.621936083 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:49.639019012 CET	49734	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:49.639050961 CET	443	49734	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:49.639100075 CET	49734	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:49.639333010 CET	443	49734	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:49.639983892 CET	49735	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:11:49.640007973 CET	443	49735	34.149.100.209	192.168.2.5
Jan 2, 2025 09:11:49.640049934 CET	49735	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:11:49.640268087 CET	443	49735	34.149.100.209	192.168.2.5
Jan 2, 2025 09:11:49.640975952 CET	49734	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:49.640995026 CET	49735	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:11:49.645339012 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:49.650187969 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:49.652281046 CET	49737	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.652332067 CET	443	49737	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.653063059 CET	49737	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.653173923 CET	49737	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.653182030 CET	443	49737	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.655221939 CET	49738	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.655266047 CET	443	49738	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.656341076 CET	49738	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.656488895 CET	49738	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:49.656505108 CET	443	49738	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.739896059 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:49.791258097 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:49.857599020 CET	443	49736	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:49.857681036 CET	49736	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.120187998 CET	443	49738	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.120265007 CET	49738	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.126122952 CET	443	49737	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.126194954 CET	49737	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.186831951 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:50.188996077 CET	49737	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.189023018 CET	443	49737	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.189348936 CET	443	49737	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.191154003 CET	49738	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.191178083 CET	443	49738	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.191544056 CET	443	49738	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.191998005 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:50.234566927 CET	49736	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.234580994 CET	443	49736	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.234760046 CET	49736	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.234843969 CET	49737	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.234858036 CET	443	49736	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.234905958 CET	49737	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.234968901 CET	49738	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.235035896 CET	49738	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.235095978 CET	443	49737	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.235158920 CET	49736	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.235202074 CET	443	49738	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:50.235239029 CET	49737	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.235285997 CET	49738	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:50.282211065 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:50.323940039 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:51.487740040 CET	49726	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:51.492842913 CET	80	49726	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:51.492911100 CET	49726	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:54.454730034 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:54.457443953 CET	49746	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:54.457505941 CET	443	49746	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:54.457638025 CET	49746	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:54.459162951 CET	49746	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:54.459180117 CET	443	49746	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:54.460038900 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:54.549777985 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:54.583165884 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:54.588037968 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:54.596487045 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:54.678237915 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:54.734477043 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:54.920341969 CET	443	49746	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:54.920428038 CET	49746	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:54.926189899 CET	49746	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:54.926202059 CET	443	49746	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:54.926302910 CET	49746	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:54.926354885 CET	443	49746	34.120.208.123	192.168.2.5
Jan 2, 2025 09:11:54.926482916 CET	49746	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:11:55.193212986 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:55.198019028 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:55.282474995 CET	49753	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:55.282516003 CET	443	49753	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:55.282845974 CET	49753	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:55.284286022 CET	49753	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:55.284297943 CET	443	49753	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:55.287780046 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:55.336282969 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:55.348093033 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:55.353044033 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:55.443196058 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:55.499129057 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:55.737351894 CET	443	49753	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:55.737464905 CET	49753	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:56.187596083 CET	49753	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:56.187625885 CET	443	49753	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:56.187673092 CET	49753	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:56.187906981 CET	443	49753	34.107.243.93	192.168.2.5
Jan 2, 2025 09:11:56.187966108 CET	49753	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:11:56.226624012 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:56.232979059 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:56.321279049 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:56.370407104 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:57.087620020 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:11:57.092406034 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:57.182795048 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:11:57.241743088 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:06.334875107 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:06.339796066 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:06.641655922 CET	49829	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:06.641686916 CET	443	49829	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:06.641875029 CET	49829	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:06.643276930 CET	49829	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:06.643291950 CET	443	49829	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:07.096512079 CET	443	49829	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:07.096597910 CET	49829	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:07.101769924 CET	49829	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:07.101782084 CET	443	49829	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:07.101877928 CET	49829	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:07.101950884 CET	443	49829	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:07.102082968 CET	49829	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:07.104443073 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:07.109246016 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:07.199657917 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:07.199857950 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:07.202970982 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:07.204478979 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:07.207798004 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:07.253066063 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:07.298051119 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:07.353434086 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:09.962932110 CET	49852	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:09.962975025 CET	443	49852	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:09.963892937 CET	49852	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:09.964032888 CET	49852	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:09.964051962 CET	443	49852	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:09.983330965 CET	49853	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:09.983365059 CET	443	49853	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:09.983611107 CET	49853	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:09.983735085 CET	49853	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:09.983747959 CET	443	49853	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:09.984355927 CET	49854	443	192.168.2.5	151.101.193.91
Jan 2, 2025 09:12:09.984395981 CET	443	49854	151.101.193.91	192.168.2.5
Jan 2, 2025 09:12:09.984472990 CET	49854	443	192.168.2.5	151.101.193.91
Jan 2, 2025 09:12:09.984559059 CET	49854	443	192.168.2.5	151.101.193.91
Jan 2, 2025 09:12:09.984571934 CET	443	49854	151.101.193.91	192.168.2.5
Jan 2, 2025 09:12:10.016092062 CET	49855	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:12:10.016127110 CET	443	49855	35.190.72.216	192.168.2.5
Jan 2, 2025 09:12:10.016524076 CET	49855	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:12:10.017952919 CET	49855	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:12:10.017967939 CET	443	49855	35.190.72.216	192.168.2.5
Jan 2, 2025 09:12:10.027376890 CET	49856	443	192.168.2.5	35.201.103.21
Jan 2, 2025 09:12:10.027391911 CET	443	49856	35.201.103.21	192.168.2.5
Jan 2, 2025 09:12:10.027865887 CET	49856	443	192.168.2.5	35.201.103.21
Jan 2, 2025 09:12:10.029294014 CET	49856	443	192.168.2.5	35.201.103.21
Jan 2, 2025 09:12:10.029305935 CET	443	49856	35.201.103.21	192.168.2.5
Jan 2, 2025 09:12:10.445699930 CET	443	49852	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.445800066 CET	49852	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.448688984 CET	49852	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.448698997 CET	443	49852	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.448940992 CET	443	49852	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.451107979 CET	49852	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.451201916 CET	49852	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.451309919 CET	443	49852	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.451371908 CET	49852	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.455226898 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:10.460156918 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:10.483804941 CET	443	49855	35.190.72.216	192.168.2.5
Jan 2, 2025 09:12:10.484061003 CET	49855	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:12:10.485781908 CET	443	49854	151.101.193.91	192.168.2.5
Jan 2, 2025 09:12:10.485888958 CET	49854	443	192.168.2.5	151.101.193.91
Jan 2, 2025 09:12:10.487000942 CET	443	49853	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:10.488390923 CET	49854	443	192.168.2.5	151.101.193.91
Jan 2, 2025 09:12:10.488400936 CET	443	49854	151.101.193.91	192.168.2.5
Jan 2, 2025 09:12:10.488662004 CET	443	49854	151.101.193.91	192.168.2.5
Jan 2, 2025 09:12:10.488755941 CET	49853	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:10.491527081 CET	49853	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:10.491535902 CET	443	49853	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:10.491868019 CET	443	49853	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:10.493392944 CET	443	49856	35.201.103.21	192.168.2.5
Jan 2, 2025 09:12:10.493407011 CET	49855	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:12:10.493413925 CET	443	49855	35.190.72.216	192.168.2.5
Jan 2, 2025 09:12:10.493501902 CET	49855	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:12:10.493597031 CET	49856	443	192.168.2.5	35.201.103.21
Jan 2, 2025 09:12:10.493618011 CET	443	49855	35.190.72.216	192.168.2.5
Jan 2, 2025 09:12:10.495874882 CET	49854	443	192.168.2.5	151.101.193.91
Jan 2, 2025 09:12:10.495949030 CET	49854	443	192.168.2.5	151.101.193.91
Jan 2, 2025 09:12:10.496021986 CET	443	49854	151.101.193.91	192.168.2.5
Jan 2, 2025 09:12:10.497498989 CET	49853	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:10.497550011 CET	49853	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:10.497916937 CET	443	49853	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:10.498933077 CET	49856	443	192.168.2.5	35.201.103.21
Jan 2, 2025 09:12:10.498940945 CET	443	49856	35.201.103.21	192.168.2.5
Jan 2, 2025 09:12:10.498980045 CET	49856	443	192.168.2.5	35.201.103.21
Jan 2, 2025 09:12:10.499089956 CET	443	49856	35.201.103.21	192.168.2.5
Jan 2, 2025 09:12:10.499730110 CET	49855	443	192.168.2.5	35.190.72.216
Jan 2, 2025 09:12:10.499758005 CET	49854	443	192.168.2.5	151.101.193.91
Jan 2, 2025 09:12:10.499772072 CET	49853	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:10.499780893 CET	49856	443	192.168.2.5	35.201.103.21
Jan 2, 2025 09:12:10.504298925 CET	49860	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.504338980 CET	443	49860	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.505580902 CET	49860	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.505709887 CET	49860	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.505724907 CET	443	49860	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.507901907 CET	49861	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.507925034 CET	443	49861	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.508269072 CET	49861	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.508352995 CET	49861	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.508362055 CET	443	49861	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.520617962 CET	49862	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.520642042 CET	443	49862	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.523188114 CET	49862	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.524128914 CET	49862	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.524146080 CET	443	49862	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.525418997 CET	49863	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:10.525455952 CET	443	49863	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:10.526074886 CET	49863	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:10.526190042 CET	49863	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:10.526204109 CET	443	49863	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:10.549789906 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:10.554425001 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:10.559273958 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:10.593858004 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:10.649570942 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:10.694150925 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:10.969424009 CET	443	49860	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.969500065 CET	49860	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.972362995 CET	49860	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.972373009 CET	443	49860	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.972614050 CET	443	49860	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.975182056 CET	49860	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.975282907 CET	49860	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.975302935 CET	443	49860	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.977660894 CET	443	49861	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.979001045 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:10.979392052 CET	49860	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.979425907 CET	49861	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.981899977 CET	49861	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.981906891 CET	443	49861	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.982285023 CET	443	49861	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.983850956 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:10.984447002 CET	49861	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.984523058 CET	49861	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:10.984630108 CET	443	49861	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:10.985116005 CET	49861	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:11.043688059 CET	443	49863	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:11.043764114 CET	49863	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:11.046961069 CET	49863	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:11.046978951 CET	443	49863	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:11.047169924 CET	443	49862	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:11.047230005 CET	49862	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:11.047241926 CET	443	49863	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:11.049875975 CET	49862	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:11.049885988 CET	443	49862	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:11.050128937 CET	443	49862	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:11.052517891 CET	49863	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:11.052618027 CET	49863	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:11.052668095 CET	443	49863	34.149.100.209	192.168.2.5
Jan 2, 2025 09:12:11.053513050 CET	49863	443	192.168.2.5	34.149.100.209
Jan 2, 2025 09:12:11.053606987 CET	49862	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:11.053673983 CET	49862	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:11.053762913 CET	443	49862	35.244.181.201	192.168.2.5
Jan 2, 2025 09:12:11.053813934 CET	49862	443	192.168.2.5	35.244.181.201
Jan 2, 2025 09:12:11.073587894 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:11.076395035 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:11.081156969 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:11.133080006 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:11.172028065 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:11.233370066 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:21.092708111 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:21.097574949 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:21.192996025 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:21.197825909 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:23.603615046 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:23.608483076 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:23.698127031 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:23.709507942 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:23.714401007 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:23.747128963 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:23.804800034 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:23.847436905 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:27.122304916 CET	49971	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:27.122359037 CET	443	49971	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:27.122622967 CET	49971	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:27.123946905 CET	49971	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:27.123961926 CET	443	49971	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:27.579149961 CET	443	49971	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:27.579308987 CET	49971	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:27.583868980 CET	49971	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:27.583895922 CET	443	49971	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:27.583990097 CET	49971	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:27.584017038 CET	443	49971	34.107.243.93	192.168.2.5
Jan 2, 2025 09:12:27.584616899 CET	49971	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:12:27.586510897 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:27.591414928 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:27.680957079 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:27.684093952 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:27.688950062 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:27.728991032 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:27.779185057 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:27.829279900 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:37.680951118 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:37.686125994 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:37.781323910 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:37.786278963 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:40.159117937 CET	50026	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.159157038 CET	443	50026	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.159234047 CET	50026	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.159418106 CET	50026	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.159434080 CET	443	50026	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.194047928 CET	50027	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.194097042 CET	443	50027	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.209491014 CET	50027	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.211111069 CET	50027	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.211146116 CET	443	50027	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.615246058 CET	443	50026	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.619354010 CET	443	50026	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.620137930 CET	50026	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.623011112 CET	50026	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.623023033 CET	443	50026	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.623346090 CET	443	50026	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.625225067 CET	50026	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.625320911 CET	50026	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.625415087 CET	443	50026	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.625684023 CET	50026	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.660991907 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:40.665888071 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:40.666743040 CET	443	50027	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.666762114 CET	443	50027	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.667018890 CET	50027	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.670212984 CET	50027	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.670238972 CET	443	50027	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.670532942 CET	443	50027	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.673749924 CET	50027	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.673851967 CET	50027	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.673962116 CET	443	50027	34.120.208.123	192.168.2.5
Jan 2, 2025 09:12:40.674149990 CET	50027	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:12:40.755820036 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:40.786237955 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:40.791368008 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:40.811145067 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:40.882082939 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:40.942750931 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:50.770771980 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:50.775640965 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:12:50.902333021 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:12:50.907226086 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:00.783256054 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:00.788182974 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:00.914732933 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:00.919718981 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:07.760986090 CET	50029	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:13:07.761018991 CET	443	50029	34.107.243.93	192.168.2.5
Jan 2, 2025 09:13:07.761254072 CET	50029	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:13:07.762661934 CET	50029	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:13:07.762676001 CET	443	50029	34.107.243.93	192.168.2.5
Jan 2, 2025 09:13:08.224307060 CET	443	50029	34.107.243.93	192.168.2.5
Jan 2, 2025 09:13:08.224416971 CET	50029	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:13:08.227891922 CET	50029	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:13:08.227904081 CET	443	50029	34.107.243.93	192.168.2.5
Jan 2, 2025 09:13:08.227998018 CET	50029	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:13:08.228146076 CET	443	50029	34.107.243.93	192.168.2.5
Jan 2, 2025 09:13:08.228200912 CET	50029	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:13:08.230566025 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:08.235348940 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:08.324984074 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:08.328761101 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:08.333537102 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:08.367378950 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:08.426079035 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:08.467890978 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:18.334744930 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:18.339731932 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:18.435019016 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:18.439888954 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:28.347914934 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:28.352859020 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:28.448165894 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:28.452991962 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:38.353796959 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:38.358745098 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:38.454107046 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:38.459068060 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:48.366269112 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:48.371253967 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:48.466547966 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:48.471479893 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:58.378391027 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:58.383356094 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:13:58.478776932 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:13:58.483681917 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:08.391166925 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:08.396035910 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:08.491434097 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:08.496270895 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:18.404586077 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:18.409451962 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:18.504939079 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:18.509911060 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:28.418306112 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:28.423368931 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:28.518490076 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:28.523380995 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:29.057981014 CET	50030	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:14:29.058012009 CET	443	50030	34.107.243.93	192.168.2.5
Jan 2, 2025 09:14:29.058204889 CET	50030	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:14:29.059791088 CET	50030	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:14:29.059807062 CET	443	50030	34.107.243.93	192.168.2.5
Jan 2, 2025 09:14:29.514988899 CET	443	50030	34.107.243.93	192.168.2.5
Jan 2, 2025 09:14:29.515109062 CET	50030	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:14:29.520369053 CET	50030	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:14:29.520380974 CET	443	50030	34.107.243.93	192.168.2.5
Jan 2, 2025 09:14:29.520488977 CET	50030	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:14:29.520576954 CET	443	50030	34.107.243.93	192.168.2.5
Jan 2, 2025 09:14:29.521348000 CET	50030	443	192.168.2.5	34.107.243.93
Jan 2, 2025 09:14:29.523444891 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:29.529652119 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:29.619563103 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:29.623234034 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:29.628127098 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:29.668528080 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:29.718643904 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:29.768799067 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:39.629199028 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:39.634099960 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:39.731987953 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:39.736967087 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:41.173808098 CET	50031	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.173846960 CET	443	50031	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.174021959 CET	50032	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.174071074 CET	443	50032	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.174159050 CET	50033	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.174187899 CET	443	50033	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.174228907 CET	50031	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.174268007 CET	50032	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.174329996 CET	50033	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.174411058 CET	50031	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.174426079 CET	443	50031	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.174560070 CET	50032	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.174576998 CET	443	50032	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.174690962 CET	50033	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.174705029 CET	443	50033	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.628957033 CET	443	50031	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.629061937 CET	50031	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.632373095 CET	50031	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.632385015 CET	443	50031	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.632581949 CET	443	50032	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.632628918 CET	443	50031	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.632685900 CET	50032	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.635329008 CET	50032	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.635345936 CET	443	50032	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.635617971 CET	443	50032	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.636993885 CET	443	50033	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.637362957 CET	50033	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.639853001 CET	50033	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.639878035 CET	443	50033	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.640106916 CET	443	50033	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.640743971 CET	50031	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.640867949 CET	50031	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.640929937 CET	443	50031	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.642527103 CET	50032	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.642620087 CET	50032	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.642739058 CET	443	50032	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.644453049 CET	50033	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.644551992 CET	50033	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.644630909 CET	443	50033	34.120.208.123	192.168.2.5
Jan 2, 2025 09:14:41.646687031 CET	50031	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.646701097 CET	50032	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.646720886 CET	50033	443	192.168.2.5	34.120.208.123
Jan 2, 2025 09:14:41.647556067 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:41.652368069 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:41.742022038 CET	80	49728	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:41.744755983 CET	49723	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:41.749574900 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:41.791142941 CET	49728	80	192.168.2.5	34.107.221.82
Jan 2, 2025 09:14:41.839791059 CET	80	49723	34.107.221.82	192.168.2.5
Jan 2, 2025 09:14:41.891479969 CET	49723	80	192.168.2.5	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:11:41.415169954 CET	52220	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:41.422084093 CET	53	52220	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:41.473433971 CET	54511	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:41.480148077 CET	53	54511	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.200380087 CET	64772	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.207366943 CET	53	64772	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.210988045 CET	62942	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.217973948 CET	53	62942	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.218727112 CET	51106	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.225500107 CET	53	51106	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.377702951 CET	57168	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.386329889 CET	62986	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.393376112 CET	53	62986	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.408298969 CET	54710	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.414973021 CET	53	54710	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.711695910 CET	62407	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.718578100 CET	53	62407	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.721282005 CET	62332	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.725660086 CET	55236	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.728177071 CET	53	62332	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.730093956 CET	64628	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.732287884 CET	53	55236	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.736851931 CET	54380	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.737168074 CET	53	64628	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.743381023 CET	53	54380	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:42.745351076 CET	49923	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:42.752140999 CET	53	49923	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:43.580591917 CET	62674	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:43.586184978 CET	55750	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:43.587143898 CET	53	62674	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:43.590641022 CET	57792	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:43.592766047 CET	53	55750	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:43.597342014 CET	53	57792	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:43.604793072 CET	61809	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:43.611491919 CET	53	61809	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:43.847387075 CET	64677	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:43.847994089 CET	65166	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:43.854486942 CET	53	65166	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:43.857796907 CET	53691	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:43.864773989 CET	53	53691	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:43.865405083 CET	64931	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:43.872073889 CET	53	64931	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:44.449803114 CET	57752	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:44.477161884 CET	53	50515	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:47.096810102 CET	61778	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:47.103725910 CET	53	61778	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:47.104749918 CET	62444	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:47.111402035 CET	53	62444	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:47.112044096 CET	64184	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:47.119101048 CET	53	64184	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:48.847542048 CET	60942	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:48.854379892 CET	53	60942	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:48.858052015 CET	57000	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:48.864947081 CET	53	57000	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:48.865942001 CET	59761	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:48.866935015 CET	52666	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:48.872922897 CET	53	59761	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:48.873543024 CET	53	52666	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:48.878665924 CET	58037	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:48.885560036 CET	53	58037	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:48.899373055 CET	52968	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:48.906100988 CET	53	52968	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:48.998099089 CET	53732	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:49.004865885 CET	53	53732	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:49.046643972 CET	49393	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:49.053414106 CET	53	49393	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:49.081573963 CET	52081	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:49.088395119 CET	53	52081	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:54.457319975 CET	50186	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:54.465055943 CET	53	50186	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:55.284310102 CET	63947	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:55.290783882 CET	53	63947	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.081331968 CET	56865	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.081635952 CET	50312	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.081988096 CET	51882	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.088232040 CET	53	56865	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.089015007 CET	53	51882	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.089026928 CET	53	50312	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.151439905 CET	52016	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.153345108 CET	50937	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.153820992 CET	55865	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.158078909 CET	53	52016	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.158584118 CET	63282	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.160404921 CET	53	50937	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.161128044 CET	59614	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.161257029 CET	53	55865	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.161750078 CET	52102	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.165353060 CET	53	63282	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.167772055 CET	53	59614	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.168553114 CET	53	52102	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.697150946 CET	64776	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.697391987 CET	54229	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:57.703836918 CET	53	64776	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:57.703855991 CET	53	54229	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:58.440593958 CET	51385	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:58.440644026 CET	57814	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:58.447521925 CET	53	51385	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:58.447563887 CET	53	57814	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:58.448057890 CET	57025	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:58.448395967 CET	50452	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:11:58.454927921 CET	53	57025	1.1.1.1	192.168.2.5
Jan 2, 2025 09:11:58.455379963 CET	53	50452	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:06.642446995 CET	51420	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:06.649431944 CET	53	51420	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:09.963476896 CET	61384	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:09.971065998 CET	53	61384	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:09.975819111 CET	54849	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:09.982589006 CET	53	54849	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:09.984900951 CET	62140	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:09.991499901 CET	53	62140	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:09.992022038 CET	55069	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:09.998929977 CET	53	55069	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:10.016284943 CET	62018	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:10.023678064 CET	53	62018	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:10.027559996 CET	49480	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:10.034521103 CET	53	49480	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:10.045464993 CET	63591	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:10.052752972 CET	53	63591	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:23.603950977 CET	57412	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:27.114708900 CET	57435	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:27.121480942 CET	53	57435	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:27.122003078 CET	60933	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:27.128541946 CET	53	60933	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:40.152053118 CET	54252	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:12:40.160350084 CET	53	54252	1.1.1.1	192.168.2.5
Jan 2, 2025 09:12:40.661406040 CET	49563	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:13:07.753277063 CET	49248	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:13:07.760062933 CET	53	49248	1.1.1.1	192.168.2.5
Jan 2, 2025 09:13:07.760982037 CET	59192	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:13:07.767520905 CET	53	59192	1.1.1.1	192.168.2.5
Jan 2, 2025 09:13:08.230746984 CET	65324	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:14:29.042085886 CET	61655	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:14:29.048993111 CET	53	61655	1.1.1.1	192.168.2.5
Jan 2, 2025 09:14:29.049978018 CET	57032	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:14:29.057132959 CET	53	57032	1.1.1.1	192.168.2.5
Jan 2, 2025 09:14:29.057651043 CET	51356	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:14:29.064235926 CET	53	51356	1.1.1.1	192.168.2.5
Jan 2, 2025 09:14:29.523686886 CET	58354	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:14:41.174269915 CET	64855	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:14:41.180860043 CET	53	64855	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 09:11:41.415169954 CET	192.168.2.5	1.1.1.1	0xdecc	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:41.473433971 CET	192.168.2.5	1.1.1.1	0xa2be	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:11:42.200380087 CET	192.168.2.5	1.1.1.1	0x7995	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.210988045 CET	192.168.2.5	1.1.1.1	0xc3a4	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.218727112 CET	192.168.2.5	1.1.1.1	0x8668	Standard query (0)	youtube.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:42.377702951 CET	192.168.2.5	1.1.1.1	0xac50	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.386329889 CET	192.168.2.5	1.1.1.1	0xc32	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.408298969 CET	192.168.2.5	1.1.1.1	0xe3f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:11:42.711695910 CET	192.168.2.5	1.1.1.1	0x35da	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.721282005 CET	192.168.2.5	1.1.1.1	0x1ade	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.725660086 CET	192.168.2.5	1.1.1.1	0xc56f	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.730093956 CET	192.168.2.5	1.1.1.1	0x10fe	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:42.736851931 CET	192.168.2.5	1.1.1.1	0x624d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.745351076 CET	192.168.2.5	1.1.1.1	0x1212	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:11:43.580591917 CET	192.168.2.5	1.1.1.1	0xcfff	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.586184978 CET	192.168.2.5	1.1.1.1	0xc3a	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.590641022 CET	192.168.2.5	1.1.1.1	0x1255	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.604793072 CET	192.168.2.5	1.1.1.1	0xf7fb	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:11:43.847387075 CET	192.168.2.5	1.1.1.1	0x2126	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.847994089 CET	192.168.2.5	1.1.1.1	0x5624	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.857796907 CET	192.168.2.5	1.1.1.1	0xc99a	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.865405083 CET	192.168.2.5	1.1.1.1	0x96c6	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:11:44.449803114 CET	192.168.2.5	1.1.1.1	0xb6a2	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:47.096810102 CET	192.168.2.5	1.1.1.1	0x2851	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:47.104749918 CET	192.168.2.5	1.1.1.1	0x5bb7	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:47.112044096 CET	192.168.2.5	1.1.1.1	0xcf86	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:11:48.847542048 CET	192.168.2.5	1.1.1.1	0x3a9a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:11:48.858052015 CET	192.168.2.5	1.1.1.1	0x8cad	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:48.865942001 CET	192.168.2.5	1.1.1.1	0xbc8b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:48.866935015 CET	192.168.2.5	1.1.1.1	0xd978	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:48.878665924 CET	192.168.2.5	1.1.1.1	0xa36	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:48.899373055 CET	192.168.2.5	1.1.1.1	0xec90	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:48.998099089 CET	192.168.2.5	1.1.1.1	0xf248	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:49.046643972 CET	192.168.2.5	1.1.1.1	0x9360	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:49.081573963 CET	192.168.2.5	1.1.1.1	0x57f4	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:11:54.457319975 CET	192.168.2.5	1.1.1.1	0x908b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:55.284310102 CET	192.168.2.5	1.1.1.1	0x22b0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:57.081331968 CET	192.168.2.5	1.1.1.1	0x6df1	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.081635952 CET	192.168.2.5	1.1.1.1	0xd98c	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.081988096 CET	192.168.2.5	1.1.1.1	0x9533	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.151439905 CET	192.168.2.5	1.1.1.1	0xed2a	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.153345108 CET	192.168.2.5	1.1.1.1	0x6fdf	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.153820992 CET	192.168.2.5	1.1.1.1	0xbf67	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.158584118 CET	192.168.2.5	1.1.1.1	0x676a	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Jan 2, 2025 09:11:57.161128044 CET	192.168.2.5	1.1.1.1	0x6f56	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:57.161750078 CET	192.168.2.5	1.1.1.1	0xe00d	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:57.697150946 CET	192.168.2.5	1.1.1.1	0x8839	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.697391987 CET	192.168.2.5	1.1.1.1	0xca88	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:58.440593958 CET	192.168.2.5	1.1.1.1	0x38eb	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:58.440644026 CET	192.168.2.5	1.1.1.1	0x2575	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:58.448057890 CET	192.168.2.5	1.1.1.1	0x2d6a	Standard query (0)	twitter.com	28	IN (0x0001)	false
Jan 2, 2025 09:11:58.448395967 CET	192.168.2.5	1.1.1.1	0x38ae	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Jan 2, 2025 09:12:06.642446995 CET	192.168.2.5	1.1.1.1	0xede2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:12:09.963476896 CET	192.168.2.5	1.1.1.1	0x5032	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jan 2, 2025 09:12:09.975819111 CET	192.168.2.5	1.1.1.1	0x4513	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.984900951 CET	192.168.2.5	1.1.1.1	0xd234	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.992022038 CET	192.168.2.5	1.1.1.1	0x1be8	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Jan 2, 2025 09:12:10.016284943 CET	192.168.2.5	1.1.1.1	0x1af9	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:10.027559996 CET	192.168.2.5	1.1.1.1	0x2d82	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:10.045464993 CET	192.168.2.5	1.1.1.1	0x538c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:12:23.603950977 CET	192.168.2.5	1.1.1.1	0x5f56	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:27.114708900 CET	192.168.2.5	1.1.1.1	0xef47	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:27.122003078 CET	192.168.2.5	1.1.1.1	0x30b2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:12:40.152053118 CET	192.168.2.5	1.1.1.1	0x83b9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:12:40.661406040 CET	192.168.2.5	1.1.1.1	0x244d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:13:07.753277063 CET	192.168.2.5	1.1.1.1	0xefed	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:13:07.760982037 CET	192.168.2.5	1.1.1.1	0x8a67	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:13:08.230746984 CET	192.168.2.5	1.1.1.1	0xf2aa	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:14:29.042085886 CET	192.168.2.5	1.1.1.1	0x48a8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:14:29.049978018 CET	192.168.2.5	1.1.1.1	0xcca3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:14:29.057651043 CET	192.168.2.5	1.1.1.1	0xe832	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Jan 2, 2025 09:14:29.523686886 CET	192.168.2.5	1.1.1.1	0x9b32	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:14:41.174269915 CET	192.168.2.5	1.1.1.1	0xc4a0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:11:41.411242008 CET	1.1.1.1	192.168.2.5	0x843f	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:41.422084093 CET	1.1.1.1	192.168.2.5	0xdecc	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.207366943 CET	1.1.1.1	192.168.2.5	0x7995	No error (0)	youtube.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.217973948 CET	1.1.1.1	192.168.2.5	0xc3a4	No error (0)	youtube.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.225500107 CET	1.1.1.1	192.168.2.5	0x8668	No error (0)	youtube.com			28	IN (0x0001)	false
Jan 2, 2025 09:11:42.384516954 CET	1.1.1.1	192.168.2.5	0xac50	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:42.384516954 CET	1.1.1.1	192.168.2.5	0xac50	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.393376112 CET	1.1.1.1	192.168.2.5	0xc32	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.414973021 CET	1.1.1.1	192.168.2.5	0xe3f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Jan 2, 2025 09:11:42.718578100 CET	1.1.1.1	192.168.2.5	0x35da	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.728177071 CET	1.1.1.1	192.168.2.5	0x1ade	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.732287884 CET	1.1.1.1	192.168.2.5	0xc56f	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:42.732287884 CET	1.1.1.1	192.168.2.5	0xc56f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:42.743381023 CET	1.1.1.1	192.168.2.5	0x624d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.579592943 CET	1.1.1.1	192.168.2.5	0x8807	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:43.579592943 CET	1.1.1.1	192.168.2.5	0x8807	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.587143898 CET	1.1.1.1	192.168.2.5	0xcfff	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.592766047 CET	1.1.1.1	192.168.2.5	0xc3a	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.592766047 CET	1.1.1.1	192.168.2.5	0xc3a	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.597342014 CET	1.1.1.1	192.168.2.5	0x1255	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.854078054 CET	1.1.1.1	192.168.2.5	0x2126	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:43.854078054 CET	1.1.1.1	192.168.2.5	0x2126	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.854486942 CET	1.1.1.1	192.168.2.5	0x5624	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:43.854486942 CET	1.1.1.1	192.168.2.5	0x5624	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:43.854486942 CET	1.1.1.1	192.168.2.5	0x5624	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.864773989 CET	1.1.1.1	192.168.2.5	0xc99a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:43.872073889 CET	1.1.1.1	192.168.2.5	0x96c6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Jan 2, 2025 09:11:44.459961891 CET	1.1.1.1	192.168.2.5	0xb6a2	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:47.103725910 CET	1.1.1.1	192.168.2.5	0x2851	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:47.103725910 CET	1.1.1.1	192.168.2.5	0x2851	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:47.103725910 CET	1.1.1.1	192.168.2.5	0x2851	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:47.111402035 CET	1.1.1.1	192.168.2.5	0x5bb7	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:48.849889040 CET	1.1.1.1	192.168.2.5	0x720b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:48.853349924 CET	1.1.1.1	192.168.2.5	0x436b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:48.853349924 CET	1.1.1.1	192.168.2.5	0x436b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:48.864947081 CET	1.1.1.1	192.168.2.5	0x8cad	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:48.872922897 CET	1.1.1.1	192.168.2.5	0xbc8b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:48.885560036 CET	1.1.1.1	192.168.2.5	0xa36	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:49.004865885 CET	1.1.1.1	192.168.2.5	0xf248	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:49.004865885 CET	1.1.1.1	192.168.2.5	0xf248	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:49.053414106 CET	1.1.1.1	192.168.2.5	0x9360	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:49.391415119 CET	1.1.1.1	192.168.2.5	0x15c1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.088232040 CET	1.1.1.1	192.168.2.5	0x6df1	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.089015007 CET	1.1.1.1	192.168.2.5	0x9533	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:57.089015007 CET	1.1.1.1	192.168.2.5	0x9533	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.089026928 CET	1.1.1.1	192.168.2.5	0xd98c	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:57.089026928 CET	1.1.1.1	192.168.2.5	0xd98c	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.158078909 CET	1.1.1.1	192.168.2.5	0xed2a	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.160404921 CET	1.1.1.1	192.168.2.5	0x6fdf	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.161257029 CET	1.1.1.1	192.168.2.5	0xbf67	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.165353060 CET	1.1.1.1	192.168.2.5	0x676a	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Jan 2, 2025 09:11:57.167772055 CET	1.1.1.1	192.168.2.5	0x6f56	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Jan 2, 2025 09:11:57.168553114 CET	1.1.1.1	192.168.2.5	0xe00d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Jan 2, 2025 09:11:57.168553114 CET	1.1.1.1	192.168.2.5	0xe00d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Jan 2, 2025 09:11:57.168553114 CET	1.1.1.1	192.168.2.5	0xe00d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Jan 2, 2025 09:11:57.168553114 CET	1.1.1.1	192.168.2.5	0xe00d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Jan 2, 2025 09:11:57.703836918 CET	1.1.1.1	192.168.2.5	0x8839	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:11:57.703836918 CET	1.1.1.1	192.168.2.5	0x8839	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.703836918 CET	1.1.1.1	192.168.2.5	0x8839	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.703836918 CET	1.1.1.1	192.168.2.5	0x8839	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.703836918 CET	1.1.1.1	192.168.2.5	0x8839	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:57.703855991 CET	1.1.1.1	192.168.2.5	0xca88	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:58.447521925 CET	1.1.1.1	192.168.2.5	0x38eb	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:58.447563887 CET	1.1.1.1	192.168.2.5	0x2575	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:58.447563887 CET	1.1.1.1	192.168.2.5	0x2575	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:58.447563887 CET	1.1.1.1	192.168.2.5	0x2575	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:11:58.447563887 CET	1.1.1.1	192.168.2.5	0x2575	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.961847067 CET	1.1.1.1	192.168.2.5	0x4b47	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:12:09.961847067 CET	1.1.1.1	192.168.2.5	0x4b47	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.982589006 CET	1.1.1.1	192.168.2.5	0x4513	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.982589006 CET	1.1.1.1	192.168.2.5	0x4513	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.982589006 CET	1.1.1.1	192.168.2.5	0x4513	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.982589006 CET	1.1.1.1	192.168.2.5	0x4513	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.991499901 CET	1.1.1.1	192.168.2.5	0xd234	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.991499901 CET	1.1.1.1	192.168.2.5	0xd234	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.991499901 CET	1.1.1.1	192.168.2.5	0xd234	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.991499901 CET	1.1.1.1	192.168.2.5	0xd234	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:09.998929977 CET	1.1.1.1	192.168.2.5	0x1be8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Jan 2, 2025 09:12:09.998929977 CET	1.1.1.1	192.168.2.5	0x1be8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Jan 2, 2025 09:12:09.998929977 CET	1.1.1.1	192.168.2.5	0x1be8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Jan 2, 2025 09:12:09.998929977 CET	1.1.1.1	192.168.2.5	0x1be8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Jan 2, 2025 09:12:10.023678064 CET	1.1.1.1	192.168.2.5	0x1af9	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:12:10.023678064 CET	1.1.1.1	192.168.2.5	0x1af9	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:10.034521103 CET	1.1.1.1	192.168.2.5	0x2d82	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:10.990806103 CET	1.1.1.1	192.168.2.5	0x776e	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:12:10.990806103 CET	1.1.1.1	192.168.2.5	0x776e	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:12:23.610940933 CET	1.1.1.1	192.168.2.5	0x5f56	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:12:23.610940933 CET	1.1.1.1	192.168.2.5	0x5f56	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:27.121480942 CET	1.1.1.1	192.168.2.5	0xef47	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:40.158257008 CET	1.1.1.1	192.168.2.5	0x3ec6	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:12:40.668363094 CET	1.1.1.1	192.168.2.5	0x244d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:12:40.668363094 CET	1.1.1.1	192.168.2.5	0x244d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:13:07.760062933 CET	1.1.1.1	192.168.2.5	0xefed	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:13:08.237616062 CET	1.1.1.1	192.168.2.5	0xf2aa	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:13:08.237616062 CET	1.1.1.1	192.168.2.5	0xf2aa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:14:29.048993111 CET	1.1.1.1	192.168.2.5	0x48a8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:14:29.057132959 CET	1.1.1.1	192.168.2.5	0xcca3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:14:29.533216953 CET	1.1.1.1	192.168.2.5	0x9b32	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:14:29.533216953 CET	1.1.1.1	192.168.2.5	0x9b32	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:14:41.168750048 CET	1.1.1.1	192.168.2.5	0xb844	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	34.107.221.82	80	4768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:11:42.476890087 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:42.925568104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 13:29:39 GMT Age: 67323 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:11:43.855943918 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:43.952353954 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 13:29:39 GMT Age: 67324 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	34.107.221.82	80	4768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:11:43.860871077 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49723	34.107.221.82	80	4768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:11:44.321255922 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:11:44.765775919 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66689 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:11:47.311184883 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:11:47.406501055 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66692 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:11:47.995994091 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:11:48.091197014 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66693 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:11:49.479089022 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:11:49.574400902 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66694 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:11:50.186831951 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:11:50.282211065 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66695 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:11:54.583165884 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:11:54.678237915 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66699 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:11:55.348093033 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:11:55.443196058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66700 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:11:57.087620020 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:11:57.182795048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66702 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:12:07.199657917 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:12:07.202970982 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:12:07.298051119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66712 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:12:10.554425001 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:12:10.649570942 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66715 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:12:11.076395035 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:12:11.172028065 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66716 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:12:21.192996025 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:12:23.709507942 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:12:23.804800034 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66728 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:12:27.684093952 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:12:27.779185057 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66732 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:12:37.781323910 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:12:40.786237955 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:12:40.882082939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66745 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:12:50.902333021 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:00.914732933 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:08.328761101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:13:08.426079035 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66773 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:13:18.435019016 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:28.448165894 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:38.454107046 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:48.466547966 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:58.478776932 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:14:29.623234034 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:14:29.718643904 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66854 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jan 2, 2025 09:14:41.744755983 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jan 2, 2025 09:14:41.839791059 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 01 Jan 2025 13:40:15 GMT Age: 66866 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49728	34.107.221.82	80	4768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:11:44.721589088 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:45.166569948 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62079 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:11:47.688254118 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:47.782879114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62081 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:11:49.381386042 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:49.476181030 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62083 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:11:49.645339012 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:49.739896059 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62083 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:11:54.454730034 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:54.549777985 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62088 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:11:55.193212986 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:55.287780046 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62089 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:11:56.226624012 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:11:56.321279049 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62090 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:12:06.334875107 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:12:07.104443073 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:12:07.199857950 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62101 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:12:10.455226898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:12:10.549789906 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62104 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:12:10.979001045 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:12:11.073587894 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62105 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:12:21.092708111 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:12:23.603615046 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:12:23.698127031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62117 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:12:27.586510897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:12:27.680957079 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62121 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:12:37.680951118 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:12:40.660991907 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:12:40.755820036 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62134 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:12:50.770771980 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:00.783256054 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:08.230566025 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:13:08.324984074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62162 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:13:18.334744930 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:28.347914934 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:38.353796959 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:48.366269112 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:13:58.378391027 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 2, 2025 09:14:29.523444891 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:14:29.619563103 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62243 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jan 2, 2025 09:14:41.647556067 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jan 2, 2025 09:14:41.742022038 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 01 Jan 2025 14:57:06 GMT Age: 62255 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	03:11:33
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0x3d0000
File size:	968'192 bytes
MD5 hash:	CA250DF7319AC4E1A197E00FDA0C4323
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:11:34
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x970000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:11:34
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:11:36
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x970000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:11:36
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:11:36
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x970000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:11:36
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:11:36
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x970000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:11:36
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:11:37
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x970000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:11:37
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:11:37
Start date:	02/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:11:37
Start date:	02/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:11:37
Start date:	02/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	03:11:38
Start date:	02/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2116 -prefMapHandle 2088 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15de6b27-7044-40bf-a2c2-be7884e414f8} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f42196ed10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	03:11:40
Start date:	02/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -parentBuildID 20230927232528 -prefsHandle 4136 -prefMapHandle 2752 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72a50f43-12cd-4721-987a-ef72a27437aa} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f4393c4910 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	03:11:47
Start date:	02/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5048 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9f16bfd-66d4-41a9-b176-b8c89b0ae8c4} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2f439d11110 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.2%
Total number of Nodes:	1753
Total number of Limit Nodes:	48

Executed Functions

Function 003D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003D430D

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

GetCurrentProcess.KERNEL32(?,0046CB64,00000000,?,?), ref: 003D4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 003D4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 003D4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003D4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 003D4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 003D447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003D44A0

Strings

GetNativeSystemInfo, xrefs: 003D4460
kernel32.dll, xrefs: 003D444F
|O, xrefs: 004136F8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 54b73c7f7131cb668af41de280b94d509e55d24136c3d6286a120b7f97a4ceeb
Instruction ID: 67c6bc602bec462f7d127f0453d36af2cfc2cc28f3d7ebed3b627a0669192bb7
Opcode Fuzzy Hash: 54b73c7f7131cb668af41de280b94d509e55d24136c3d6286a120b7f97a4ceeb
Instruction Fuzzy Hash: 84A1937690A2C0DFEF12CF6A78815E57FA46B27340F0848BAD88197B71D674495CCB2E

Function 003D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003D50AA,?,?,00000000,00000000), ref: 003D42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003D50AA,?,?,00000000,00000000), ref: 003D42C9
LoadResource.KERNEL32(?,00000000,?,?,003D50AA,?,?,00000000,00000000,?,?,?,?,?,?,003D4F20), ref: 004135BE
SizeofResource.KERNEL32(?,00000000,?,?,003D50AA,?,?,00000000,00000000,?,?,?,?,?,?,003D4F20), ref: 004135D3
LockResource.KERNEL32(003D50AA,?,?,003D50AA,?,?,00000000,00000000,?,?,?,?,?,?,003D4F20,?), ref: 004135E6

Strings

SCRIPT, xrefs: 003D42BF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: fe1edb083716822c901fdb55bf5ca3df143228a677455b9871b35cdea9aa1030
Instruction ID: 4c5f5f2a31aba385cb0a09238ff123cabef7d231f9fa14a8daa4d6772c8ca3da
Opcode Fuzzy Hash: fe1edb083716822c901fdb55bf5ca3df143228a677455b9871b35cdea9aa1030
Instruction Fuzzy Hash: 2A117071600701BFD7219B65EC88F677BB9EBC5B51F10456AF846D6250EBB1D80086A1

Function 00412BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 003D2B6B

Part of subcall function 003D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004A1418,?,003D2E7F,?,?,?,00000000), ref: 003D3A78

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00492224), ref: 00412C10
ShellExecuteW.SHELL32(00000000,?,?,00492224), ref: 00412C17

Strings

runas, xrefs: 00412C0B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: f3475db14321fa796370053bf6c4e4befeaa749a7cc2f43580d4dfdc1f016edc
Instruction ID: 5a921af71bd03d6b10aa0c53f010d0906a2ae573f1e04bdf3f37fa78b1c73a15
Opcode Fuzzy Hash: f3475db14321fa796370053bf6c4e4befeaa749a7cc2f43580d4dfdc1f016edc
Instruction Fuzzy Hash: 0C11A5332083416AC706FF64F851ABE7BA49BA5740F04442FF0825B2A2DF648949D717

Function 0043D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0043D501
Process32FirstW.KERNEL32(00000000,?), ref: 0043D50F
Process32NextW.KERNEL32(00000000,?), ref: 0043D52F
CloseHandle.KERNEL32(00000000), ref: 0043D5DC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 44ed9f8c78f547c5670301a6c8a5b93faf25bd4e0e8c0617c3e3522a2f6a5b6b
Instruction ID: 57f962b62883236355567a99f24b5e3e5b93ccc3d27fa687035e0ca8a1ce92a7
Opcode Fuzzy Hash: 44ed9f8c78f547c5670301a6c8a5b93faf25bd4e0e8c0617c3e3522a2f6a5b6b
Instruction Fuzzy Hash: C1319372508300AFD301EF54E891AAFBBE8EF99354F14092EF581872A1EB719945CB93

Function 0043DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00415222), ref: 0043DBCE
GetFileAttributesW.KERNEL32(?), ref: 0043DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0043DBEE
FindClose.KERNEL32(00000000), ref: 0043DBFA

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b7157ed982dcb4eeea362b1ac5c17f169327e372370baa81337be89402fcb412
Instruction ID: 953f1f2f989e27437c6a5596500fbdbdb5c36701617333cc0ca9ec3de227a88b
Opcode Fuzzy Hash: b7157ed982dcb4eeea362b1ac5c17f169327e372370baa81337be89402fcb412
Instruction Fuzzy Hash: E5F0A070C209105782206B78AC4D8BB776C9E06334F146753F8B6C21E0FBF49955869E

Function 0042D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0042D220

Strings

%.3d, xrefs: 0042D22B
X64, xrefs: 0042D2A8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 1df9ddf6265f56b4b2ee64596f8419c1cb65dc41457330067f1f115a8eec333b
Instruction ID: 5b1ae9b1ca45439237c045637e8a52bbfcfada7cea7a34fb6fcdb4eb09127897
Opcode Fuzzy Hash: 1df9ddf6265f56b4b2ee64596f8419c1cb65dc41457330067f1f115a8eec333b
Instruction Fuzzy Hash: 68D01261D08129E9CB5097E0EC459B9B37CBB08301FE084E3FC0691040E62CD909A77B

Function 003F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004028E9,?,003F4CBE,004028E9,004988B8,0000000C,003F4E15,004028E9,00000002,00000000,?,004028E9), ref: 003F4D09
TerminateProcess.KERNEL32(00000000,?,003F4CBE,004028E9,004988B8,0000000C,003F4E15,004028E9,00000002,00000000,?,004028E9), ref: 003F4D10
ExitProcess.KERNEL32 ref: 003F4D22

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c73a81c2e3d4c3a2bf1245ebb637cc5749a5ca0ad353d74cbb27452a4e3d9ac7
Instruction ID: 7997cf5e04d52ee2951afe9eb7fd3024917d8cf36bf8723b6ee45185bf50c923
Opcode Fuzzy Hash: c73a81c2e3d4c3a2bf1245ebb637cc5749a5ca0ad353d74cbb27452a4e3d9ac7
Instruction Fuzzy Hash: 89E04631000148ABCF22AF10DD49A6A3F29EB81781B004028FD448A223EB75DD82CA84

Function 0042D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0042D28C

Strings

X64, xrefs: 0042D2A8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: b86a1a39d6c3f367f1b84984dd82bfaf1b272d635d5e8826d64bac76449d41b8
Instruction ID: c32693163ed4a56963cf42132271e87100466c317c967619ccd37bffd4f9c4da
Opcode Fuzzy Hash: b86a1a39d6c3f367f1b84984dd82bfaf1b272d635d5e8826d64bac76449d41b8
Instruction Fuzzy Hash: 97D0C9B480112DEACB90CB90ECC8DD9B37CBB04305F100292F106A2040D77495498F20

Function 003DBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#J, xrefs: 004207CE

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#J
API String ID: 3964851224-2198892205
Opcode ID: 32460593cb66715f047759e0ec7a97978d6c6d91c0e4c5db4620a595b19bf1d5
Instruction ID: 7edc765fc8c5bc98aea086e6cbaed45c779021db87ae62d26c6845db64be7c48
Opcode Fuzzy Hash: 32460593cb66715f047759e0ec7a97978d6c6d91c0e4c5db4620a595b19bf1d5
Instruction Fuzzy Hash: 94A29A71618351CFC721CF28D480B2ABBE5BF89304F54996EE88A8B352D775EC45CB92

Function 0045AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0045B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0045B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0045B1D4
_wcslen.LIBCMT ref: 0045B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0045B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0045B236
_wcslen.LIBCMT ref: 0045B332

Part of subcall function 004405A7: GetStdHandle.KERNEL32(000000F6), ref: 004405C6

_wcslen.LIBCMT ref: 0045B34B
_wcslen.LIBCMT ref: 0045B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0045B3B6
GetLastError.KERNEL32(00000000), ref: 0045B407
CloseHandle.KERNEL32(?), ref: 0045B439
CloseHandle.KERNEL32(00000000), ref: 0045B44A
CloseHandle.KERNEL32(00000000), ref: 0045B45C
CloseHandle.KERNEL32(00000000), ref: 0045B46E
CloseHandle.KERNEL32(?), ref: 0045B4E3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: d2abf2e3fa3c60d2d684cfa7cf9574fd895a9a675fe5ae50620634fc987ae7dc
Instruction ID: a9983fd873d9c80751717816a3e13fe46c7ca57785d7fe52330dc00d1d2e348a
Opcode Fuzzy Hash: d2abf2e3fa3c60d2d684cfa7cf9574fd895a9a675fe5ae50620634fc987ae7dc
Instruction Fuzzy Hash: CBF188316042409FC725EF24D881B2BBBE1EF85714F14855EF8899B3A2DB35EC49CB96

Function 003DD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003DD807
timeGetTime.WINMM ref: 003DDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003DDB28
TranslateMessage.USER32(?), ref: 003DDB7B
DispatchMessageW.USER32(?), ref: 003DDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003DDB9F
Sleep.KERNEL32(0000000A), ref: 003DDBB1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 298191703b43de7c78eb7d57c35ebce3db63767a4dea3981af5326e0b9db0cb0
Instruction ID: a145d870dfd5d21e034d82499843b52b22de66a966450d891f60a75ac567a73e
Opcode Fuzzy Hash: 298191703b43de7c78eb7d57c35ebce3db63767a4dea3981af5326e0b9db0cb0
Instruction Fuzzy Hash: 62423331604351EFD726CF24E884B6ABBE4BF46304F54862FE4568B3A1D7B4E844CB86

Function 003D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003D2D07
RegisterClassExW.USER32(00000030), ref: 003D2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003D2D42
InitCommonControlsEx.COMCTL32(?), ref: 003D2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003D2D6F
LoadIconW.USER32(000000A9), ref: 003D2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003D2D94

Strings

AutoIt v3 GUI, xrefs: 003D2D23
TaskbarCreated, xrefs: 003D2D37
0, xrefs: 003D2CE9
+, xrefs: 003D2CF0

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e10871508adf212800e7ae4ab1bf69278b2cfcf9257d9de8a29179756ee43d44
Instruction ID: 8e2cf53bd47fa50c850a8f350c6a853ab317e388065f5ba96713945443a0e83f
Opcode Fuzzy Hash: e10871508adf212800e7ae4ab1bf69278b2cfcf9257d9de8a29179756ee43d44
Instruction Fuzzy Hash: 1821E7B5901219AFDB00DF94E889BAE7FB8FB09701F00412AF551A62A0E7B50544CF99

Function 0041065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041039A: CreateFileW.KERNEL32(00000000,00000000,?,00410704,?,?,00000000,?,00410704,00000000,0000000C), ref: 004103B7

GetLastError.KERNEL32 ref: 0041076F
__dosmaperr.LIBCMT ref: 00410776
GetFileType.KERNEL32(00000000), ref: 00410782
GetLastError.KERNEL32 ref: 0041078C
__dosmaperr.LIBCMT ref: 00410795
CloseHandle.KERNEL32(00000000), ref: 004107B5
CloseHandle.KERNEL32(?), ref: 004108FF
GetLastError.KERNEL32 ref: 00410931
__dosmaperr.LIBCMT ref: 00410938

Strings

H, xrefs: 004108BD

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: dcd4752b144c2a6ec0f9f8974d337d6c0aa8ccad646bf5a7faf4a0bb3bc47a9d
Instruction ID: 9841822b8d5f421651062052152a56c1b1c973c2b4bf34921cc4e915926b1414
Opcode Fuzzy Hash: dcd4752b144c2a6ec0f9f8974d337d6c0aa8ccad646bf5a7faf4a0bb3bc47a9d
Instruction Fuzzy Hash: 36A12932A041089FDF19AF68D8517EE7BA0AF06324F14015EF815AF3D1D7B99C92CB99

Function 003D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004A1418,?,003D2E7F,?,?,?,00000000), ref: 003D3A78

Part of subcall function 003D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003D3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003D356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0041318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004131CE
RegCloseKey.ADVAPI32(?), ref: 00413210
_wcslen.LIBCMT ref: 00413277
_wcslen.LIBCMT ref: 00413286

Strings

Include, xrefs: 00413184, 004131C5
Software\AutoIt v3\AutoIt, xrefs: 003D3560
\, xrefs: 0041328C
\Include\, xrefs: 003D3527

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f164a776e04dcf65c2a1ab05d8c2bab80c9acd05096f0c53398eb303e23d712a
Instruction ID: 0f4fec27987b02e378d61244022d03ce6d4b9cf35036d0fd786703496b158595
Opcode Fuzzy Hash: f164a776e04dcf65c2a1ab05d8c2bab80c9acd05096f0c53398eb303e23d712a
Instruction Fuzzy Hash: 4E7193725043009EC705EF69ED819ABBBE8FF96740F40443FF94587260EBB49948DB5A

Function 003D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003D2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 003D2B9D
LoadIconW.USER32(00000063), ref: 003D2BB3
LoadIconW.USER32(000000A4), ref: 003D2BC5
LoadIconW.USER32(000000A2), ref: 003D2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003D2BEF
RegisterClassExW.USER32(?), ref: 003D2C40

Part of subcall function 003D2CD4: GetSysColorBrush.USER32(0000000F), ref: 003D2D07
Part of subcall function 003D2CD4: RegisterClassExW.USER32(00000030), ref: 003D2D31
Part of subcall function 003D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003D2D42
Part of subcall function 003D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 003D2D5F
Part of subcall function 003D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003D2D6F
Part of subcall function 003D2CD4: LoadIconW.USER32(000000A9), ref: 003D2D85
Part of subcall function 003D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003D2D94

Strings

#, xrefs: 003D2C16
0, xrefs: 003D2C0F
AutoIt v3, xrefs: 003D2C2F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6c3bbf02521de44600bad25ecee30e4fd75513ba335118e31b78b0f0bdb5ed05
Instruction ID: e249997e6bbc16958fe5634f9bca1fbded91646e5a377eb633cbc888b1a8211f
Opcode Fuzzy Hash: 6c3bbf02521de44600bad25ecee30e4fd75513ba335118e31b78b0f0bdb5ed05
Instruction Fuzzy Hash: 00211A75E00324AFEF109FA5EC95AA97FF4FB49B50F00403AE905A66B0D7B10540CF99

Function 003DB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003DBB4E

Strings

p#J, xrefs: 0042024F
p#J, xrefs: 00420263
p%J, xrefs: 003DB8DC
p%J, xrefs: 003DBB32
p#J, xrefs: 003DBA72
p#J, xrefs: 003DBB6B
x#J, xrefs: 00420207
x#J, xrefs: 00420168

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#J$p#J$p#J$p#J$p%J$p%J$x#J$x#J
API String ID: 1385522511-3219966860
Opcode ID: 42cd10662e2228f7f4141cec10af777b6206497085767430eedf336eaab3631f
Instruction ID: 4a64b07eff14a2e0f60dacead20548276ca9beeb69da076f12807af005dcf621
Opcode Fuzzy Hash: 42cd10662e2228f7f4141cec10af777b6206497085767430eedf336eaab3631f
Instruction Fuzzy Hash: AD32DD36A00219EFCB11CF68E894ABAB7F9EF45300F56805BED05AB352C778AD41CB55

Function 003D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,003D316A,?,?), ref: 003D31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,003D316A,?,?), ref: 003D3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003D3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,003D316A,?,?), ref: 003D3232
CreatePopupMenu.USER32 ref: 003D3246
PostQuitMessage.USER32(00000000), ref: 003D3267

Strings

TaskbarCreated, xrefs: 003D322D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 97242556614448aa33eca27cfcc75c5c73a2c1ab87c77bcce4c1af2a73a291f9
Instruction ID: 7e23750dc61c58ddd399041f89cf24e6a1ccb556f5b9bffc266795ad3e11a12b
Opcode Fuzzy Hash: 97242556614448aa33eca27cfcc75c5c73a2c1ab87c77bcce4c1af2a73a291f9
Instruction Fuzzy Hash: F6410436640202AADB162F68FD49BBA3A1DE706340F044137F942867B1D7A98E40D7AB

Function 003DDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 004232B7
D%JD%J, xrefs: 003DE27E
D%J, xrefs: 003DE4B1
D%J, xrefs: 0042302D
D%J, xrefs: 00422FDA
D%J, xrefs: 003DE1E0

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: D%J$D%J$D%J$D%J$D%JD%J$Variable must be of type 'Object'.
API String ID: 0-1829645331
Opcode ID: 83f6b69ae56f695357ef3eaa9c716bb9d79b8d38b9e45f42271439504977cfef
Instruction ID: d4cd359ae97a7b7a27750e93e34b90cca003ced766947610b93df59d2ad32b42
Opcode Fuzzy Hash: 83f6b69ae56f695357ef3eaa9c716bb9d79b8d38b9e45f42271439504977cfef
Instruction Fuzzy Hash: FEC2AF76E00214DFCB25EF58E880AADBBB1BF09300F25856AE905AF391D379ED41CB55

Function 003DEC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003DFE66

Strings

D%J, xrefs: 003DEFB7
D%JD%J, xrefs: 003DF05B
D%J, xrefs: 0042491E
D%J, xrefs: 003DF36A
D%J, xrefs: 00424972

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%J$D%J$D%J$D%J$D%JD%J
API String ID: 1385522511-2627025737
Opcode ID: 1272b72d076bf770e165c8f33c1534db5f7ba957b19c9fec18242a93c86006b5
Instruction ID: 8d75dc9d52ff1c6d8b51bafb50e6ee83247b93a2cfd048dead1d1059554ab051
Opcode Fuzzy Hash: 1272b72d076bf770e165c8f33c1534db5f7ba957b19c9fec18242a93c86006b5
Instruction Fuzzy Hash: B3B2AD76608350CFCB16DF18E480A2ABBF1BF89300F25496EE8868B351D775ED45CB92

Function 003D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003D1459
CoUninitialize.COMBASE ref: 003D14F8
UnregisterHotKey.USER32(?), ref: 003D16DD
DestroyWindow.USER32(?), ref: 004124B9
FreeLibrary.KERNEL32(?), ref: 0041251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0041254B

Strings

close all, xrefs: 003D1454

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1762f53118786f1159d794fc58930d2cbb6a5f6567dba8a4077561cb85be090a
Instruction ID: bdc26afe3219e50fc95cff73ecd7cfe26bb1cb759562c4b315a645d41492a0b0
Opcode Fuzzy Hash: 1762f53118786f1159d794fc58930d2cbb6a5f6567dba8a4077561cb85be090a
Instruction Fuzzy Hash: 31D1CE32701212AFCB1AEF15D594A69F7A5BF05700F1042AFE44AAB351DB74EC62CF58

Function 0043DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0043DE42
gethostname.WS2_32(?,00000100), ref: 0043DE5C
gethostbyname.WS2_32(?), ref: 0043DE69
inet_ntoa.WSOCK32(?), ref: 0043DEAB
_strcat.LIBCMT ref: 0043DEB9
WSACleanup.WSOCK32 ref: 0043DEDE

Strings

0.0.0.0, xrefs: 0043DE87

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 445e5b119bd380a5fcdad048817f43c98eda17836b930a5c4ef3bf71d631c77c
Instruction ID: 86f537880aba4872291c36227276b51edfcf9f4be036f486716134c3de11a734
Opcode Fuzzy Hash: 445e5b119bd380a5fcdad048817f43c98eda17836b930a5c4ef3bf71d631c77c
Instruction Fuzzy Hash: FA112431D00119AFCB21BB20AC4AEFF7BACDB14711F00017BF1459A091FFB89A818A59

Function 003D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003D2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003D2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,003D1CAD,?), ref: 003D2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,003D1CAD,?), ref: 003D2CCF

Strings

AutoIt v3, xrefs: 003D2C89, 003D2C8E, 003D2C8F
edit, xrefs: 003D2CAC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 464555bd33f87ce47b1ac01cb9a4e1dddf995bdf81174f6dec75e2d47b2fb757
Instruction ID: ffdf546aa0ad1551369a06796534df8366f387b148c0ef3263c9f9a0afc8ae0b
Opcode Fuzzy Hash: 464555bd33f87ce47b1ac01cb9a4e1dddf995bdf81174f6dec75e2d47b2fb757
Instruction Fuzzy Hash: C8F0DAB65402A07AFB311B17AC48E772EBDD7CBF61F10406AFD00A25B0D6A51854DBB9

Function 003D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003D3B0F,SwapMouseButtons,00000004,?), ref: 003D3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003D3B0F,SwapMouseButtons,00000004,?), ref: 003D3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,003D3B0F,SwapMouseButtons,00000004,?), ref: 003D3B83

Strings

Control Panel\Mouse, xrefs: 003D3B3E

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: d20f47e91b54b279328e158967271c274af7922dc4474a8d0dadb2e697293e71
Instruction ID: c24fcf023f45a56d48dac07f84bcf5682df01ce84335ed3125613e3d7a0ae43f
Opcode Fuzzy Hash: d20f47e91b54b279328e158967271c274af7922dc4474a8d0dadb2e697293e71
Instruction Fuzzy Hash: 10112AB6510208FFDB218FA5EC84AAEB7BCEF04744B11446BE845D7210E2719E409765

Function 0042D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0042D3BF
FreeLibrary.KERNEL32 ref: 0042D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0042D3B9
X64, xrefs: 0042D2A8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 811660b93cd5e8ff041d86088d05382cf7c56e4969dce877eb00b047191462fd
Instruction ID: 0c3d1bb5568549554d16d8c840f3524e40a777f18ab38f719144238760c26e5e
Opcode Fuzzy Hash: 811660b93cd5e8ff041d86088d05382cf7c56e4969dce877eb00b047191462fd
Instruction Fuzzy Hash: 7BF0A721E05531DBD7215610AC94AEA3314AF11701BE8C5A7EC42E1248E75CCD4146AF

Function 003D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004133A2

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 003D3A04

Strings

Line: , xrefs: 004133EB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 5381bbc1e823c806ec278cdcc25cb9d926de7718a32d30f4fa82e714b1f36734
Instruction ID: 90c0a895144e3e18b3d6e6200c22331b836b27552569bec604ff63fac9680400
Opcode Fuzzy Hash: 5381bbc1e823c806ec278cdcc25cb9d926de7718a32d30f4fa82e714b1f36734
Instruction Fuzzy Hash: 1B31D672508304AAD722EF10EC55BEB77DCAB41710F10452BF999872A1DB749A48C7DB

Function 003D2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00412C8C

Part of subcall function 003D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003D3A97,?,?,003D2E7F,?,?,?,00000000), ref: 003D3AC2

Part of subcall function 003D2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 003D2DC4

Strings

`eI, xrefs: 00412C85
X, xrefs: 00412C5A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eI
API String ID: 779396738-3192710792
Opcode ID: 7c6420bbd11fd59e726ba7fcc82de63fdf33b63ee928893cca269edc21341ed5
Instruction ID: 26a58ee762e678721aab8e400e9030a1769b37fcaef0a5330f6032bd8b43ed67
Opcode Fuzzy Hash: 7c6420bbd11fd59e726ba7fcc82de63fdf33b63ee928893cca269edc21341ed5
Instruction Fuzzy Hash: 19219671A002589FDF42DF94D845BEE7BFCAF49314F00805BE505EB341EBB859898BA5

Function 003EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 003F0668

Part of subcall function 003F32A4: RaiseException.KERNEL32(?,?,?,003F068A,?,004A1444,?,?,?,?,?,?,003F068A,003D1129,00498738,003D1129), ref: 003F3304

__CxxThrowException@8.LIBVCRUNTIME ref: 003F0685

Strings

Unknown exception, xrefs: 003F0692

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 8325a2cae82e2d1f28ad336bf498872554cce8a615d4da96ea6da4d5c0f4b8f8
Instruction ID: 638adf20de1b970640c5aba9db76da5fe868dd53a5727353b490b99afdb49f96
Opcode Fuzzy Hash: 8325a2cae82e2d1f28ad336bf498872554cce8a615d4da96ea6da4d5c0f4b8f8
Instruction Fuzzy Hash: 09F0C83490020D778F06B6A9DC46D7E7B6C9E40350B604536BA18D95D6EFB1DA25C681

Function 003D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 003D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003D1BF4
Part of subcall function 003D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 003D1BFC
Part of subcall function 003D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003D1C07
Part of subcall function 003D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003D1C12
Part of subcall function 003D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 003D1C1A
Part of subcall function 003D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 003D1C22

Part of subcall function 003D1B4A: RegisterWindowMessageW.USER32(00000004,?,003D12C4), ref: 003D1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003D136A
OleInitialize.OLE32 ref: 003D1388
CloseHandle.KERNEL32(00000000,00000000), ref: 004124AB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4457e97490ee8e2ec7da36c69f23810d133c162b6f2f50992523f45c1231022c
Instruction ID: 4caa01951732ecc2ac4245106e3e3cdb31ae7b60325628811560b19b4f3f0b9c
Opcode Fuzzy Hash: 4457e97490ee8e2ec7da36c69f23810d133c162b6f2f50992523f45c1231022c
Instruction Fuzzy Hash: 49718BB9D01250AFC384EF7AA9556A53EE0AB9B384F54823FD04ACB3B1E73844448F4D

Function 0043C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003D3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043C259
KillTimer.USER32(?,00000001,?,?), ref: 0043C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0043C270

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 36b12d63a8815cb96aa1e6c1eec5cc29bbc92b3478e3b382c3edd1afc9b0d68f
Instruction ID: c3b49e464fbba61bb066be4dd18b5dcc69e03c6e8df8a6a6965329a3b19ebcd8
Opcode Fuzzy Hash: 36b12d63a8815cb96aa1e6c1eec5cc29bbc92b3478e3b382c3edd1afc9b0d68f
Instruction Fuzzy Hash: DB31C570904344AFEB229F648895BE7BBEC9B0A304F0014DBD5DAA7241C7785A85CF56

Function 004086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,004085CC,?,00498CC8,0000000C), ref: 00408704
GetLastError.KERNEL32(?,004085CC,?,00498CC8,0000000C), ref: 0040870E
__dosmaperr.LIBCMT ref: 00408739

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: e5ca63175980212f83f949a0bde8d51f9063cc21e2f00dc9c41b901597682c20
Instruction ID: 0648c0897bd39f51f7560a7bd21e2fcbb801d07526fafc84c167da7796ecca00
Opcode Fuzzy Hash: e5ca63175980212f83f949a0bde8d51f9063cc21e2f00dc9c41b901597682c20
Instruction Fuzzy Hash: 73016F326142201AC62062345A4577F2B558B92778F36053FFC44BB2D3DEBE8C81865D

Function 003DDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 003DDB7B
DispatchMessageW.USER32(?), ref: 003DDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003DDB9F
Sleep.KERNEL32(0000000A), ref: 003DDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00421CC9

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 750a57f03be197091d8002f9b7cb2ffa5c2dda8c75ef3f2231852bdf84fdc727
Instruction ID: b8584c3a60f9f274312dd016d900319e7e66f8455263022cef349e84c4820635
Opcode Fuzzy Hash: 750a57f03be197091d8002f9b7cb2ffa5c2dda8c75ef3f2231852bdf84fdc727
Instruction Fuzzy Hash: 25F05E316443519BE730DB61EC89FAA73ACEB55311F504A2AE64AC31D0EB749448DB1A

Function 003E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003E17F6

Strings

CALL, xrefs: 003E17C6

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f9eaeecdf9dd73cd7bf0a228d85dd5405a5d58f85a2131fab0d19e2fb80907f2
Instruction ID: 86430ac3df4f7c51972dcba72ac9494513ce8e8a8e5ddd31c7555cc2de233016
Opcode Fuzzy Hash: f9eaeecdf9dd73cd7bf0a228d85dd5405a5d58f85a2131fab0d19e2fb80907f2
Instruction Fuzzy Hash: DA22AC70608291DFC715DF16D480B2ABBF5BF85304F158A6EF8968B3A1D775E841CB82

Function 003E01E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51313e4d1f0d40b9b9e2f490d55925bbe2308ed3d6c050b8f198ab2d84c5a0db
Instruction ID: 5d65af6b5b6347e44ddb9269381534705feb79975ce7899d23c351ca6c8850c0
Opcode Fuzzy Hash: 51313e4d1f0d40b9b9e2f490d55925bbe2308ed3d6c050b8f198ab2d84c5a0db
Instruction Fuzzy Hash: 42321130B00664DFCB26EF55EC85BAEB7B1AF00310F548A2AE915AB2D1D774ED80CB55

Function 0042D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0042D375

Strings

X64, xrefs: 0042D2A8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: b78f37336dd6bcf9c64cc146b5cdd4fdef5b16fcfd8cd65e4ec5f11950106548
Instruction ID: 103c17870e80e26b3405ddf476b15a8be4481120f7a3e4ef6fd8f2e258fdf8ca
Opcode Fuzzy Hash: b78f37336dd6bcf9c64cc146b5cdd4fdef5b16fcfd8cd65e4ec5f11950106548
Instruction Fuzzy Hash: 80D0C9B5905128EACB90CB40ECC8DE9B37CBB04301FA08292F402A2540D774A9899B26

Function 003D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 003D3908

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b526cd034618459ac0c971baf1b0b07538a22bd7ef18141c03d054fa43b1e49b
Instruction ID: 32a20b65a2e8f864ce72a6cb33c280494085938e957d3cdd2e8eddc63bcfd6f8
Opcode Fuzzy Hash: b526cd034618459ac0c971baf1b0b07538a22bd7ef18141c03d054fa43b1e49b
Instruction Fuzzy Hash: F6318FB15043019FE721DF24E884797BBE8FB49709F00092FF99997390E7B1AA48CB56

Function 003EF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003EF661

Part of subcall function 003DD730: GetInputState.USER32 ref: 003DD807

Sleep.KERNEL32(00000000), ref: 0042F2DE

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 9a64ea3e880206644259d13b98ba8e1a9f435ed304a966901e53a0f44148f2e5
Instruction ID: 9d770c46ba3e640f39fa6cbb5c6f24559b154c25d73d9b7262a4151bb122882b
Opcode Fuzzy Hash: 9a64ea3e880206644259d13b98ba8e1a9f435ed304a966901e53a0f44148f2e5
Instruction Fuzzy Hash: 29F082312402159FD310EF65E445B6AF7E9FF46761F00007AE859CB3A0DBB0A800CF95

Function 003D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003D4EDD,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4E9C
Part of subcall function 003D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003D4EAE
Part of subcall function 003D4E90: FreeLibrary.KERNEL32(00000000,?,?,003D4EDD,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4EFD

Part of subcall function 003D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00413CDE,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4E62
Part of subcall function 003D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003D4E74
Part of subcall function 003D4E59: FreeLibrary.KERNEL32(00000000,?,?,00413CDE,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4E87

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 66dae55ad9b1a2253f402628f8ea90f79e31a773528941b0e8008f35d5e18056
Instruction ID: ce08aa1049be83783cc0702bf27791fa74778497bb55a0d82c1aa13af31d044d
Opcode Fuzzy Hash: 66dae55ad9b1a2253f402628f8ea90f79e31a773528941b0e8008f35d5e18056
Instruction Fuzzy Hash: 4011E733A00205ABDF16BF60EC06FAD77A9AF40B11F10442FF542AA2E1EE74DA459754

Function 00408402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00408440

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 51c7765d1e73285b1b86081f5574aa44d5dbfd2e71264585102f06bf08b7ab06
Instruction ID: e2ec8036fec5a575ee00bac002b851e1e053395fffc1087b0b83b95210d86cd9
Opcode Fuzzy Hash: 51c7765d1e73285b1b86081f5574aa44d5dbfd2e71264585102f06bf08b7ab06
Instruction Fuzzy Hash: 1B11187590410AAFCB15DF58EA419DF7BF5EF48314F14406AFC08AB352EA31EA11CBA9

Function 00405000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00404C7D: RtlAllocateHeap.NTDLL(00000008,003D1129,00000000,?,00402E29,00000001,00000364,?,?,?,003FF2DE,00403863,004A1444,?,003EFDF5,?), ref: 00404CBE

_free.LIBCMT ref: 0040506C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: f267390fd001f7fb76ce7dea9c69949ef4e0252a81af8e92008c5acee3814924
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C7012BB22047045BE3218F65984595BFBECFB85370F25052EE184A32C0E6746805CA78

Function 003FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: bceb9ead4e3fdb61b87ec1890b6e2abbba52afa6700b9adcef339225d72e22d6
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 22F0F932511A1C96C6333E669D09B7A339C9F52334F11072AF621E71E1DF78940186A9

Function 003D9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003D9CBD

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction ID: d96e1dd5e118aaa931b2968ae4b0c11e1c1ab55bb339172243f5ac24f8188aaa
Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction Fuzzy Hash: 7CF0C8B3600614AED7169F29DC06BA7BB98EF44760F10862BF619CF2D1DB71E51487A0

Function 00404C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003D1129,00000000,?,00402E29,00000001,00000364,?,?,?,003FF2DE,00403863,004A1444,?,003EFDF5,?), ref: 00404CBE

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 979d77413fd33670a127f1490edbcf9e1416cf67d0d738bbe82b81bce4d289c5
Instruction ID: f9c5c84d30bdcabe102f73a2f2a29da6e75822b1f65649c906d6af339689aca9
Opcode Fuzzy Hash: 979d77413fd33670a127f1490edbcf9e1416cf67d0d738bbe82b81bce4d289c5
Instruction Fuzzy Hash: F2F0BB7150A22877FB215F619C05B6B3748AFC1760F164133FE15BB2D0CA78D80146E9

Function 00403820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004A1444,?,003EFDF5,?,?,003DA976,00000010,004A1440,003D13FC,?,003D13C6,?,003D1129), ref: 00403852

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 95890b7aec9845c6d994c481a88207a1c70cf11c39d27c1b3bf0ee129b2da5de
Instruction ID: f8e3b2d0becd8ad57dcfa71c7f99cc6d5de187a0fb36fb7e92b3bc661c70bfad
Opcode Fuzzy Hash: 95890b7aec9845c6d994c481a88207a1c70cf11c39d27c1b3bf0ee129b2da5de
Instruction Fuzzy Hash: 7DE0EC3310021456E7213E769C00BAB3ECC9F427B2F054072FD05B66D0DB35DE0142E9

Function 003D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4F6D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b5a1e4c1e198dcee5ce210013a9715ee61d609a994200db2f4bf1917838aadf1
Instruction ID: 156f826468ce9fc10ef21d032b1e209eac9319da39b4a77692df9f45569fa300
Opcode Fuzzy Hash: b5a1e4c1e198dcee5ce210013a9715ee61d609a994200db2f4bf1917838aadf1
Instruction Fuzzy Hash: 72F03972105752CFDB369F64E490822BBF8AF14329321897FE2EA82A31CB319844DF10

Function 00462A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00462A66

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 6a740d756d3a6463a1fed6f5d715da602351150c02062b53b9fc8f45f5ec27b4
Instruction ID: 7e7db6b945581ed3f85389e4684a3d6fb84c8e5e11fbb8d0111a36cfb748d409
Opcode Fuzzy Hash: 6a740d756d3a6463a1fed6f5d715da602351150c02062b53b9fc8f45f5ec27b4
Instruction Fuzzy Hash: 20E0DF76350516BAC710EA71DC808FA734CEF54399B10043BEC26C2100EBF8999282A9

Function 003D30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 003D314E

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d11a6a8e2c86276ef401403d7b4de4de021db4b3628378bc3fcbdc481ac11788
Instruction ID: bb245ea02e40ecb2027a093184e71b34d4889e9991bf4ce424b595d1d4bb0f6d
Opcode Fuzzy Hash: d11a6a8e2c86276ef401403d7b4de4de021db4b3628378bc3fcbdc481ac11788
Instruction Fuzzy Hash: E9F037719143589FEB53DF24DC457D67BBCAB01708F0000F6A68896291DBB45B88CF56

Function 003D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 003D2DC4

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 52ffcc34eb49e2ed0521374641cfc743c426b59efda1f70d7225c81708777aec
Instruction ID: 83ebd0097d8b2cc2b8f331d0fd9da244cd7fa42298551c199af60d44e488dd32
Opcode Fuzzy Hash: 52ffcc34eb49e2ed0521374641cfc743c426b59efda1f70d7225c81708777aec
Instruction Fuzzy Hash: 27E0CD72A041245BC711A3599C06FEA77DDDFC8790F0400B6FD09D7258D964AD808555

Function 003D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003D3908

Part of subcall function 003DD730: GetInputState.USER32 ref: 003DD807

SetCurrentDirectoryW.KERNEL32(?), ref: 003D2B6B

Part of subcall function 003D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003D314E

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 860396a74cea47de310223e61a88b7e2fe51f38faae54cfb3431d9608968644e
Instruction ID: 66305329e0f0173067bfc8c382ecd7e315b6efdece3a4c9b5117894dc76b90c0
Opcode Fuzzy Hash: 860396a74cea47de310223e61a88b7e2fe51f38faae54cfb3431d9608968644e
Instruction Fuzzy Hash: 00E0262370020406C606BB34B8525BDBB498BE6351F00043FF0428B363CF644D494213

Function 0043DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0043DF40

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 69c0e0a99ee2506db60a1af19081d2ca35650efe49d6a19e1b0dd17673a9bc45
Instruction ID: 54242375d01f9aeb5fc188e1356cd8adf927a4a10494ea0c71fcd384878e52c8
Opcode Fuzzy Hash: 69c0e0a99ee2506db60a1af19081d2ca35650efe49d6a19e1b0dd17673a9bc45
Instruction Fuzzy Hash: C2D05EE2A002282BDF60E6759C0EDF73AACC740250F0006B178ADD3152E960DD4486B0

Function 0041039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00410704,?,?,00000000,?,00410704,00000000,0000000C), ref: 004103B7

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 29f9e15ef2a128015f8bf0d1414efcde754156be4317f21f97427c6b60de8913
Instruction ID: 4a83d05f2db942dc95e271ba9bb329915c74e374e68e568c97b4d0c3b3fc0e35
Opcode Fuzzy Hash: 29f9e15ef2a128015f8bf0d1414efcde754156be4317f21f97427c6b60de8913
Instruction Fuzzy Hash: 94D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010FE5856020C772E821AB95

Function 003D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 003D1CBC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6eea6820d2a4cd8ef9dc43a6e3b96356a4c1f8ff3348e6149f62ba26dbdbf6ef
Instruction ID: 61890d9302fffe9cc959a222314bce037ed0cd06d98a03511ca01757f7a3c8ef
Opcode Fuzzy Hash: 6eea6820d2a4cd8ef9dc43a6e3b96356a4c1f8ff3348e6149f62ba26dbdbf6ef
Instruction Fuzzy Hash: 6FC09B35280314BFF6144B84BD4AF107B54B34DB10F044011FA4A555F3D3E11410EB59

Non-executed Functions

Function 00469576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 003E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003E9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0046961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0046969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004696C9
SendMessageW.USER32 ref: 004696F2
GetKeyState.USER32(00000011), ref: 0046978B
GetKeyState.USER32(00000009), ref: 00469798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004697AE
GetKeyState.USER32(00000010), ref: 004697B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004697E9
SendMessageW.USER32 ref: 00469810
SendMessageW.USER32(?,00001030,?,00467E95), ref: 00469918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0046992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00469941
SetCapture.USER32(?), ref: 0046994A
ClientToScreen.USER32(?,?), ref: 004699AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004699BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004699D6
ReleaseCapture.USER32 ref: 004699E1
GetCursorPos.USER32(?), ref: 00469A19
ScreenToClient.USER32(?,?), ref: 00469A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00469A80
SendMessageW.USER32 ref: 00469AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00469AEB
SendMessageW.USER32 ref: 00469B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00469B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00469B4A
GetCursorPos.USER32(?), ref: 00469B68
ScreenToClient.USER32(?,?), ref: 00469B75
GetParent.USER32(?), ref: 00469B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00469BFA
SendMessageW.USER32 ref: 00469C2B
ClientToScreen.USER32(?,?), ref: 00469C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00469CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00469CDE
SendMessageW.USER32 ref: 00469D01
ClientToScreen.USER32(?,?), ref: 00469D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00469D82

Part of subcall function 003E9944: GetWindowLongW.USER32(?,000000EB), ref: 003E9952

GetWindowLongW.USER32(?,000000F0), ref: 00469E05

Strings

F, xrefs: 00469D07
@GUI_DRAGID, xrefs: 0046997D
p#J, xrefs: 00469990

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#J
API String ID: 3429851547-2097163523
Opcode ID: 7165d8d04e4cabb62ac1cec1dad0432ae17419098ef36a4b86c28a7f8e40bfdd
Instruction ID: d8201e6883ace4057d573819ed32039688c52bbba8ff20d2e190813e62e2e2f1
Opcode Fuzzy Hash: 7165d8d04e4cabb62ac1cec1dad0432ae17419098ef36a4b86c28a7f8e40bfdd
Instruction Fuzzy Hash: 19428D74204301AFDB25CF28CC84AABBBE9FF49310F14062AF595873A1E7B59C55CB5A

Function 00464873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004648F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00464908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00464927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0046494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0046495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0046497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004649AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004649D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00464A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00464A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00464A7E
IsMenu.USER32(?), ref: 00464A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00464AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00464B20
GetWindowLongW.USER32(?,000000F0), ref: 00464B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00464BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00464C82
wsprintfW.USER32 ref: 00464CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00464CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00464CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00464D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00464D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00464D5A

Strings

%d/%02d/%02d, xrefs: 00464CA8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 3e98e0c0515a6de14f74f321ff09007bed12f8fc6b6abd4406b24f3448f51ce6
Instruction ID: 30756a67d6d1bc21cccff7536734baf0da023c070045e9449c7f0d73fb34c146
Opcode Fuzzy Hash: 3e98e0c0515a6de14f74f321ff09007bed12f8fc6b6abd4406b24f3448f51ce6
Instruction Fuzzy Hash: 77120071600254ABEF259F24DC49FBF7BA8EF85700F10412AF515DB2E0EBB89941CB5A

Function 003EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 003EF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0042F474
IsIconic.USER32(00000000), ref: 0042F47D
ShowWindow.USER32(00000000,00000009), ref: 0042F48A
SetForegroundWindow.USER32(00000000), ref: 0042F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042F4AA
GetCurrentThreadId.KERNEL32 ref: 0042F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0042F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0042F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0042F4DE
SetForegroundWindow.USER32(00000000), ref: 0042F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0042F4F6
keybd_event.USER32(00000012,00000000), ref: 0042F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0042F50B
keybd_event.USER32(00000012,00000000), ref: 0042F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0042F519
keybd_event.USER32(00000012,00000000), ref: 0042F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0042F528
keybd_event.USER32(00000012,00000000), ref: 0042F52D
SetForegroundWindow.USER32(00000000), ref: 0042F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0042F557

Strings

Shell_TrayWnd, xrefs: 0042F46F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f4c7d3cf075f7a46b58e71077c0de82f81b0f3babac2f8b24b50fccd307d4ab7
Instruction ID: 9654297b70ab261485e5f755e7370e7d565d67b58cb5f388d5d3f6b6d4070de7
Opcode Fuzzy Hash: f4c7d3cf075f7a46b58e71077c0de82f81b0f3babac2f8b24b50fccd307d4ab7
Instruction Fuzzy Hash: 31316571B40228BBEB206BB55C89FBF7E7CEB44B50F500076F601E61D1D6F55D00AA69

Function 00431201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043170D
Part of subcall function 004316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043173A
Part of subcall function 004316C3: GetLastError.KERNEL32 ref: 0043174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00431286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004312A8
CloseHandle.KERNEL32(?), ref: 004312B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004312D1
GetProcessWindowStation.USER32 ref: 004312EA
SetProcessWindowStation.USER32(00000000), ref: 004312F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00431310

Part of subcall function 004310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004311FC), ref: 004310D4
Part of subcall function 004310BF: CloseHandle.KERNEL32(?,?,004311FC), ref: 004310E9

Strings

winsta0, xrefs: 004312CC
default, xrefs: 0043130B
ZI, xrefs: 00431392
, xrefs: 0043125A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZI
API String ID: 22674027-4241157800
Opcode ID: 6e6ae74042cc4db23a56730f99e072c799acfc23ec09a5e438b899583e85cdd4
Instruction ID: 855bffd87b849eb4ef6e843f3344ab2bf54a72a5129b5a7e72aea7fcd0d4e7c9
Opcode Fuzzy Hash: 6e6ae74042cc4db23a56730f99e072c799acfc23ec09a5e438b899583e85cdd4
Instruction Fuzzy Hash: CA817C71900249ABDF119FA4DC89BFF7BB9AF08704F14512AF911A62A0D7798944CB29

Function 00430B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00431114
Part of subcall function 004310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 00431120
Part of subcall function 004310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 0043112F
Part of subcall function 004310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 00431136
Part of subcall function 004310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0043114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00430BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00430C00
GetLengthSid.ADVAPI32(?), ref: 00430C17
GetAce.ADVAPI32(?,00000000,?), ref: 00430C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00430C6D
GetLengthSid.ADVAPI32(?), ref: 00430C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00430C8C
HeapAlloc.KERNEL32(00000000), ref: 00430C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00430CB4
CopySid.ADVAPI32(00000000), ref: 00430CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00430CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00430D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00430D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00430D45
HeapFree.KERNEL32(00000000), ref: 00430D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00430D55
HeapFree.KERNEL32(00000000), ref: 00430D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00430D65
HeapFree.KERNEL32(00000000), ref: 00430D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00430D78
HeapFree.KERNEL32(00000000), ref: 00430D7F

Part of subcall function 00431193: GetProcessHeap.KERNEL32(00000008,00430BB1,?,00000000,?,00430BB1,?), ref: 004311A1
Part of subcall function 00431193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00430BB1,?), ref: 004311A8
Part of subcall function 00431193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00430BB1,?), ref: 004311B7

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1255ffd418da2120fb6036ec416ca7286cf4bb227631f6f6c93188c0afb2f11f
Instruction ID: dcdd2c64463476ce38c1ec399b32606b451c089754e4bad79a7a8aa05bb74320
Opcode Fuzzy Hash: 1255ffd418da2120fb6036ec416ca7286cf4bb227631f6f6c93188c0afb2f11f
Instruction Fuzzy Hash: 21717E7190020AABDF10DFE4DC84BEFBBB8BF09300F045666E954A6291D7B9A905CB65

Function 0044EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0046CC08), ref: 0044EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0044EB37
GetClipboardData.USER32(0000000D), ref: 0044EB43
CloseClipboard.USER32 ref: 0044EB4F
GlobalLock.KERNEL32(00000000), ref: 0044EB87
CloseClipboard.USER32 ref: 0044EB91
GlobalUnlock.KERNEL32(00000000), ref: 0044EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0044EBC9
GetClipboardData.USER32(00000001), ref: 0044EBD1
GlobalLock.KERNEL32(00000000), ref: 0044EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0044EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0044EC38
GetClipboardData.USER32(0000000F), ref: 0044EC44
GlobalLock.KERNEL32(00000000), ref: 0044EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0044EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0044EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0044ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0044ECF3
CountClipboardFormats.USER32 ref: 0044ED14
CloseClipboard.USER32 ref: 0044ED59

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: ba25fcb279e209f70ae8f9497ad6624d14642de97328218a7e7f74a6982449bc
Instruction ID: 6cc57e70af4206ae7c8643c95d00c55ef21d8f11273f577d6afe5cbb4ff0d576
Opcode Fuzzy Hash: ba25fcb279e209f70ae8f9497ad6624d14642de97328218a7e7f74a6982449bc
Instruction Fuzzy Hash: 8461CC352042429FE301EF25D895F3A77A4FF84704F04456BF8968B3A2DB75E906CB6A

Function 0044698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004469BE
FindClose.KERNEL32(00000000), ref: 00446A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00446A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00446A75

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00446AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00446ADF

Strings

%4d, xrefs: 00446BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00446B6A
%02d, xrefs: 00446C00, 00446C0A, 00446C5A, 00446CAA, 00446CFA, 00446D4A
%03d, xrefs: 00446DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00446B32

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c17bfb7bd66da1b5ed056db255d1da9f20e924a8eb4dcb87a0186528e3bce934
Instruction ID: bdf87d7763e4d75ba58394e03797c2d3a5adfb2eeea1145a8b29a64e03c322df
Opcode Fuzzy Hash: c17bfb7bd66da1b5ed056db255d1da9f20e924a8eb4dcb87a0186528e3bce934
Instruction Fuzzy Hash: 13D17272508340AFD711EBA0D882EABB7ECAF89704F44491EF585DB291EB74DA04C762

Function 00449642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00449663
GetFileAttributesW.KERNEL32(?), ref: 004496A1
SetFileAttributesW.KERNEL32(?,?), ref: 004496BB
FindNextFileW.KERNEL32(00000000,?), ref: 004496D3
FindClose.KERNEL32(00000000), ref: 004496DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004496FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0044974A
SetCurrentDirectoryW.KERNEL32(00496B7C), ref: 00449768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00449772
FindClose.KERNEL32(00000000), ref: 0044977F
FindClose.KERNEL32(00000000), ref: 0044978F

Strings

*.*, xrefs: 004496F5

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 96fc3a8e1b0b7d16681ce5f76d81a0078152ac06a0a7bce576bb813720bdd1e9
Instruction ID: 44f13064426a7551affaea797cf9481b7dcb4008a0963a3a1fc3641ac8484305
Opcode Fuzzy Hash: 96fc3a8e1b0b7d16681ce5f76d81a0078152ac06a0a7bce576bb813720bdd1e9
Instruction Fuzzy Hash: 2531C232600619AEEF10EFB4DC49AEF77AC9F49320F1041A7F955E2290EB78DD409B18

Function 0044979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004497BE
FindNextFileW.KERNEL32(00000000,?), ref: 00449819
FindClose.KERNEL32(00000000), ref: 00449824
FindFirstFileW.KERNEL32(*.*,?), ref: 00449840
SetCurrentDirectoryW.KERNEL32(?), ref: 00449890
SetCurrentDirectoryW.KERNEL32(00496B7C), ref: 004498AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004498B8
FindClose.KERNEL32(00000000), ref: 004498C5
FindClose.KERNEL32(00000000), ref: 004498D5

Part of subcall function 0043DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0043DB00

Strings

*.*, xrefs: 0044983B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 5ed3c86e9006a8421625550c26704053c7cb514edfe2eb7f2dd9a80a029a000a
Instruction ID: c349cd6d95f677170b1cd135f876517ea131cada27addfdb7321eb717472d9e4
Opcode Fuzzy Hash: 5ed3c86e9006a8421625550c26704053c7cb514edfe2eb7f2dd9a80a029a000a
Instruction Fuzzy Hash: 2C31C3315002196AEF10FFB8EC48AEF77AC9F46320F144167E950A2290EB78DD859A29

Function 0043D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003D3A97,?,?,003D2E7F,?,?,?,00000000), ref: 003D3AC2

Part of subcall function 0043E199: GetFileAttributesW.KERNEL32(?,0043CF95), ref: 0043E19A

FindFirstFileW.KERNEL32(?,?), ref: 0043D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0043D1DD
MoveFileW.KERNEL32(?,?), ref: 0043D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0043D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0043D237

Part of subcall function 0043D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0043D21C,?,?), ref: 0043D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0043D253
FindClose.KERNEL32(00000000), ref: 0043D264

Strings

\*.*, xrefs: 0043D0CD, 0043D0D6, 0043D0EB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 40ad2aaa91c3828e6057c89bdf5754e75613328e29058d28ce9c8d7fbceefcc4
Instruction ID: c555add35722fecffdf2697b7bf1c8a15d5e58505a6916c679b646cd69e2f487
Opcode Fuzzy Hash: 40ad2aaa91c3828e6057c89bdf5754e75613328e29058d28ce9c8d7fbceefcc4
Instruction Fuzzy Hash: 8B615F32D0110D9BCF06EBE0EA929EEB775AF19304F2441ABE40177291EB345F09DB65

Function 0044ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0044ED91
EmptyClipboard.USER32 ref: 0044ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0044EDAC
CloseClipboard.USER32 ref: 0044EEA3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 882c53ca48965081f66b41efad27e19b6da857a955295f85f4cde561fe19a542
Instruction ID: 9416ab0f616943302b99f7ef070307c106a4d4a796cf4550e6153117334b1bdc
Opcode Fuzzy Hash: 882c53ca48965081f66b41efad27e19b6da857a955295f85f4cde561fe19a542
Instruction Fuzzy Hash: BB41C0716046119FE710CF16E888B2ABBE5FF44318F14C0AAE8558F762D775EC42CB99

Function 0043E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043170D
Part of subcall function 004316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043173A
Part of subcall function 004316C3: GetLastError.KERNEL32 ref: 0043174A

ExitWindowsEx.USER32(?,00000000), ref: 0043E932

Strings

@, xrefs: 0043E925
SeShutdownPrivilege, xrefs: 0043E902
, xrefs: 0043E920
, xrefs: 0043E95C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f39ad68d74bb54464760d15de95fd9f7850b8e8147a2baaf099eb9c30b986850
Instruction ID: 1df451b21dcfe29ce91a8a47115dadfb8aebc64951f18a62f848bdfeb3b7370f
Opcode Fuzzy Hash: f39ad68d74bb54464760d15de95fd9f7850b8e8147a2baaf099eb9c30b986850
Instruction Fuzzy Hash: 720126B2612210ABFB1426B69CC6FBF726C9F0C754F151823FC03E21E2E5A85C40839D

Function 00451204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00451276
WSAGetLastError.WSOCK32 ref: 00451283
bind.WSOCK32(00000000,?,00000010), ref: 004512BA
WSAGetLastError.WSOCK32 ref: 004512C5
closesocket.WSOCK32(00000000), ref: 004512F4
listen.WSOCK32(00000000,00000005), ref: 00451303
WSAGetLastError.WSOCK32 ref: 0045130D
closesocket.WSOCK32(00000000), ref: 0045133C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 86d0b4115bedb9a651554e9dd574c2dadada441f975079ccf399c33296c4f4ef
Instruction ID: 6d138a95fedcad067e7ff2d2dd767c75388662768566bc99a47fbd355c7ba068
Opcode Fuzzy Hash: 86d0b4115bedb9a651554e9dd574c2dadada441f975079ccf399c33296c4f4ef
Instruction Fuzzy Hash: AD4170316001019FD710EF64D484B2ABBE5AF86319F188199EC569F3A3C775EC85CBE5

Function 0040B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0040B9D4
_free.LIBCMT ref: 0040B9F8
_free.LIBCMT ref: 0040BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00473700), ref: 0040BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0040BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004A1270,000000FF,?,0000003F,00000000,?), ref: 0040BC36
_free.LIBCMT ref: 0040BD4B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0ecad5129e14ff22d5bddc65824d8ff3be211e8aea9b86c2d4a97aca88c13b3d
Instruction ID: 92c08fdd12a08abb0ed848d2c1c77f00e2ef2970a717e803659656fbfda4c223
Opcode Fuzzy Hash: 0ecad5129e14ff22d5bddc65824d8ff3be211e8aea9b86c2d4a97aca88c13b3d
Instruction Fuzzy Hash: 66C10771A042059BDB119F698C41BAA7BB8EF42310F2441BFE995B73D1D7389E418BDC

Function 0043D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003D3A97,?,?,003D2E7F,?,?,?,00000000), ref: 003D3AC2

Part of subcall function 0043E199: GetFileAttributesW.KERNEL32(?,0043CF95), ref: 0043E19A

FindFirstFileW.KERNEL32(?,?), ref: 0043D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0043D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0043D481
FindClose.KERNEL32(00000000), ref: 0043D498
FindClose.KERNEL32(00000000), ref: 0043D4A1

Strings

\*.*, xrefs: 0043D3F2

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9acad065e1f7fe5111320f92ee8ad8f38c78617ad36f4809bbf28fca9304c03a
Instruction ID: 29440a70a00797b37a6a056c7dd18b174da69c2bbdd79b8ec3b372e4f1a421fd
Opcode Fuzzy Hash: 9acad065e1f7fe5111320f92ee8ad8f38c78617ad36f4809bbf28fca9304c03a
Instruction Fuzzy Hash: 7B31A2324083459BC302EF60E8918AFB7E8BEA5314F445A2FF4D157291EB34AA09C767

Function 0040E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0040E645

Strings

1#QNAN, xrefs: 0040F84B
1#IND, xrefs: 0040F83D
1#INF, xrefs: 0040F852
1#SNAN, xrefs: 0040F844

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ac17555410f1660b00cc1b1c16e1af94a444465c4e6ced661e944db6b051d696
Instruction ID: c989e224b5bcd502a5ac683733378ae73e5c5634e681b75db6f1e292a64341e8
Opcode Fuzzy Hash: ac17555410f1660b00cc1b1c16e1af94a444465c4e6ced661e944db6b051d696
Instruction Fuzzy Hash: E4C23A72E086288BDB25CE289D407EAB7B5EB44304F1445FBD84DF7281E778AE858F45

Function 0044648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004464DC
CoInitialize.OLE32(00000000), ref: 00446639
CoCreateInstance.OLE32(0046FCF8,00000000,00000001,0046FB68,?), ref: 00446650
CoUninitialize.OLE32 ref: 004468D4

Strings

.lnk, xrefs: 004464BA, 00446524, 004465E0

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 8cd4af9d9eda459be90cd075ebea9ab597ad13e0aa53064be56764adc96ec390
Instruction ID: ec1cadc076dfcfe27cedc43b7226f3049523d1cb4f3a9f0433b25f84174f41f0
Opcode Fuzzy Hash: 8cd4af9d9eda459be90cd075ebea9ab597ad13e0aa53064be56764adc96ec390
Instruction Fuzzy Hash: E9D15A71608301AFD305EF24D881A6BB7E8FF95704F10496EF5958B2A1EB70ED09CB92

Function 004522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004522E8

Part of subcall function 0044E4EC: GetWindowRect.USER32(?,?), ref: 0044E504

GetDesktopWindow.USER32 ref: 00452312
GetWindowRect.USER32(00000000), ref: 00452319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00452355
GetCursorPos.USER32(?), ref: 00452381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004523DF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 63ee82ffd42b9d86db830d31621b4bb48d2162e0481c289516a4c1fdbab470f9
Instruction ID: fe5215bf3dff70ef205ae1eeab8ffd7179a00386f4b4a8ecf8a494934255f647
Opcode Fuzzy Hash: 63ee82ffd42b9d86db830d31621b4bb48d2162e0481c289516a4c1fdbab470f9
Instruction Fuzzy Hash: 2331F472105315AFD710DF65C844B6B7799FF85314F00091EF88597281DB78EA08CB9A

Function 00449B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00449B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00449C8B

Part of subcall function 00443874: GetInputState.USER32 ref: 004438CB
Part of subcall function 00443874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00443966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00449BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00449C75

Strings

*.*, xrefs: 00449B5D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d9b24f5c723e54da2bc481f02d8b97fcd7250c13da5ace4dbc3ae779c003cd6b
Instruction ID: 355173b77809c2a1e9534baae5a6830561a698732b2d80dce8fd2d6946f5ab1c
Opcode Fuzzy Hash: d9b24f5c723e54da2bc481f02d8b97fcd7250c13da5ace4dbc3ae779c003cd6b
Instruction Fuzzy Hash: 6E41907190020AAFEF15DF64D989AEFBBB4EF05300F204067E805A7291EB349E44DF69

Function 003E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 003E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003E9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 003E9A4E
GetSysColor.USER32(0000000F), ref: 003E9B23
SetBkColor.GDI32(?,00000000), ref: 003E9B36

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 104c5f716a32062bebeaf9d49c93244ccf7963448ceb40531b459744864ae01b
Instruction ID: e8939c54c28d536942548496c16083f0daee05f8a399287321dd60e3e2a46e09
Opcode Fuzzy Hash: 104c5f716a32062bebeaf9d49c93244ccf7963448ceb40531b459744864ae01b
Instruction Fuzzy Hash: 2CA10C702085B0FEE7269A2A9C58F7B2A5DDF82314F15432FF402C6AD1DA299D01C37A

Function 00451806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0045307A
Part of subcall function 0045304E: _wcslen.LIBCMT ref: 0045309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0045185D
WSAGetLastError.WSOCK32 ref: 00451884
bind.WSOCK32(00000000,?,00000010), ref: 004518DB
WSAGetLastError.WSOCK32 ref: 004518E6
closesocket.WSOCK32(00000000), ref: 00451915

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 2935812d17e8368d16a602000eb426be6e4d2f718fff842c0b88253cbfff1ee7
Instruction ID: 21218ee6d03d8af6d95133ca700a642886bbb0b1b057819491870eb0596f4486
Opcode Fuzzy Hash: 2935812d17e8368d16a602000eb426be6e4d2f718fff842c0b88253cbfff1ee7
Instruction Fuzzy Hash: 8F51E171A00210AFDB21AF24D886F7A77E5AB44718F08819DF946AF3D3D774AD41CBA1

Function 00461C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00461CC0
IsWindowEnabled.USER32 ref: 00461CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00461CDB
IsIconic.USER32 ref: 00461CE9
IsZoomed.USER32 ref: 00461CF7

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 63763f43ea852790c06a7a286e627c18ff54ddf8df538cfd4f36198d0d8d881f
Instruction ID: c74312b55f87a0a386ed092c1a6100d1160265635836247c49f5c3cc4e8df851
Opcode Fuzzy Hash: 63763f43ea852790c06a7a286e627c18ff54ddf8df538cfd4f36198d0d8d881f
Instruction Fuzzy Hash: D921F6317402015FD3208F1AC884B6B7BA4EF95314F1C806AE846CB361E7B5EC42CB9A

Function 003D8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00415DF0
VUUU, xrefs: 003D843C
ERCP, xrefs: 003D813C
VUUU, xrefs: 003D83E8
VUUU, xrefs: 003D83FA

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ce55f605c07e4f321d4d45d9456d10317a25d3751ea30cb7382bde60dc754ed5
Instruction ID: 25e42f22f8902e0be90dbe8ff94a7e85bd6af7ee477a6bc04d2fa0971d4928c8
Opcode Fuzzy Hash: ce55f605c07e4f321d4d45d9456d10317a25d3751ea30cb7382bde60dc754ed5
Instruction Fuzzy Hash: A3A26B71A0021ACBDF25CF58D9407EEB7B2BB54314F2585ABE815A7384EB34ED81CB94

Function 00438298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004382AA

Strings

|, xrefs: 004382DA
tbI, xrefs: 004384F4
(, xrefs: 004382F0

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: lstrlen
String ID: ($tbI$|
API String ID: 1659193697-3077504220
Opcode ID: 588c9eb3a17f6842b8a121d4938313519d78b417e5ac2798ca8210ad28617fa6
Instruction ID: 8ca8a1708f0d8b7b08f738ed240cd4dddb4d1ed099c6100576eb7c76b46b7032
Opcode Fuzzy Hash: 588c9eb3a17f6842b8a121d4938313519d78b417e5ac2798ca8210ad28617fa6
Instruction Fuzzy Hash: 9F322374A007059FCB28CF29C481A6AF7F0FF48710B15856EE89ADB3A1EB74E941CB44

Function 0043AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0043AAAC
SetKeyboardState.USER32(00000080), ref: 0043AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0043AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0043AB88

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 12cf6c0a22d9fd37035bbc85f39d5979b0261741ce03354201ade8278e56b068
Instruction ID: a6f1282f61d534e55a3704c3c6dac9e6b15a442778eabd2da88d5d17a5d6211f
Opcode Fuzzy Hash: 12cf6c0a22d9fd37035bbc85f39d5979b0261741ce03354201ade8278e56b068
Instruction Fuzzy Hash: C531FB31A802446EFB25CA65CC057FBB7A6AB4C310F04521BE2D1552D1D37C9961C75B

Function 0044CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0044CE89
GetLastError.KERNEL32(?,00000000), ref: 0044CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0044CEFE

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e85e4cb07a8261d6611151975ccd6dbf6c578e10dd65c258faad575ad9e3345f
Instruction ID: d34441261d5ce52a2a062d66054ea763853e8dda2ac8927a07255910695f6def
Opcode Fuzzy Hash: e85e4cb07a8261d6611151975ccd6dbf6c578e10dd65c258faad575ad9e3345f
Instruction Fuzzy Hash: 8F21CF71501305DBEB60DFA5C988BA777FCEB10314F24442FE646D2291E778EE098B58

Function 00402622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00402724
UnhandledExceptionFilter.KERNEL32(?), ref: 00402731

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 638c72308e615dacf4f4be49d9e6eab55aa30e6ec05240f606697be073ae813a
Instruction ID: 45332f846b9f568852cd34516a4e356e80f8cb992bdd97f5b0078b19d9fcd4eb
Opcode Fuzzy Hash: 638c72308e615dacf4f4be49d9e6eab55aa30e6ec05240f606697be073ae813a
Instruction Fuzzy Hash: EA31B57491121C9BCB21DF68DD89B9DB7B8BF08310F5041EAE91CA72A1E7749F818F45

Function 004451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004451DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00445238
SetErrorMode.KERNEL32(00000000), ref: 004452A1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 365df406a80591d281e2cac86661a5d989e34040b35ffab8f47fb029c0b12d5e
Instruction ID: c118e134505a99d605840ed7ef863726660c13fe2394ed2283e4e5bd4a61c4e2
Opcode Fuzzy Hash: 365df406a80591d281e2cac86661a5d989e34040b35ffab8f47fb029c0b12d5e
Instruction Fuzzy Hash: 6D317F35A00508DFDB00DF54D884EADBBB4FF09314F04809AE8059B352DB75E845CF55

Function 004316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 003EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003F0668
Part of subcall function 003EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003F0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043173A
GetLastError.KERNEL32 ref: 0043174A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e8f0ed0a457ce12f79914b6bdab627b57d88f6092c59f41dfa14f8403ee72568
Instruction ID: 8a5872554d598f6d505eba56719c34c34f39e65d14abfe2b25495c5a9f29a5a0
Opcode Fuzzy Hash: e8f0ed0a457ce12f79914b6bdab627b57d88f6092c59f41dfa14f8403ee72568
Instruction Fuzzy Hash: 5611C1B2404305EFD718AF54DCC6D6BBBBDEF08754B24852EE05657291EBB0BC428A64

Function 0043D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0043D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0043D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0043D650

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: fcdb669d20bdb9495b35e587c304299c514562e6401f3af439199d820330e5d5
Instruction ID: b144e644117484fb65d9e5a27aeadf5e3c91adf4354e31a6dc632be5d345d6fa
Opcode Fuzzy Hash: fcdb669d20bdb9495b35e587c304299c514562e6401f3af439199d820330e5d5
Instruction Fuzzy Hash: 3611A571E01228BFDB108F95EC45FAFBFBCEB49B50F108122F914E7290D2B04A058BA5

Function 00431663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0043168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004316A1
FreeSid.ADVAPI32(?), ref: 004316B1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: febfa4b924749409d7d72969f3edbd3e2fa0f894181013c77bd52a88aa7dea98
Instruction ID: 4199873e37c93dc972072d23ad9294385deab6d3c0aec5002555cf8caa272fcb
Opcode Fuzzy Hash: febfa4b924749409d7d72969f3edbd3e2fa0f894181013c77bd52a88aa7dea98
Instruction Fuzzy Hash: DDF0F471950309FBDB00DFE49D89EAEBBBCEB08604F504565E501E2191E774AA448A55

Function 0040C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0040C36C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 8b714420b99b96937d7307b8fdefe5850ac8635d9ce7d8169bfda5f148c776eb
Instruction ID: b688235f5b4087c3d288da27dd2840342fd30a4be4090b4a3406e766d6b550de
Opcode Fuzzy Hash: 8b714420b99b96937d7307b8fdefe5850ac8635d9ce7d8169bfda5f148c776eb
Instruction Fuzzy Hash: 72412A76900219ABCB209FB9DC89DBB7779EB84314F1042BEF905E72C0E6749D418B58

Function 003FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: b22048997cb01dd7c73a3da819d0e887c26fa8459de6bad37e3e8ef77e979fe2
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 61022B71E5021D9BDF15CFA9C9806ADFBF1EF48314F25816AD919EB380D731AE418B84

Function 003DCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#J, xrefs: 003DCF7F
Variable is not of type 'Object'., xrefs: 00420C40

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#J
API String ID: 0-3352960931
Opcode ID: 4b248450da70c07edc7a1ac977fdddfa3bf8db06650428167b678d56f315a8c5
Instruction ID: ed251e6c54cba4f30fb8e0de0c5b35596e0b7e89f9c385678cf002705bc3e253
Opcode Fuzzy Hash: 4b248450da70c07edc7a1ac977fdddfa3bf8db06650428167b678d56f315a8c5
Instruction Fuzzy Hash: 2532A072A20219DBCF15DF90E980AEEB7B9FF05304F50405BE806AB392D775AE45CB54

Function 004468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00446918
FindClose.KERNEL32(00000000), ref: 00446961

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: deb8a0fc3a86642f4af35135f100a6406561ab1ba96e5802d23c50678a4c1900
Instruction ID: 4cfb1de0960b7cb5c46f052db7c491fbdedf05590d43c298eecf379dda68100c
Opcode Fuzzy Hash: deb8a0fc3a86642f4af35135f100a6406561ab1ba96e5802d23c50678a4c1900
Instruction Fuzzy Hash: 6F11D3716142019FD710CF29D484A16BBE5FF85328F05C6AAE8698F3A2C774EC05CB92

Function 004437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00454891,?,?,00000035,?), ref: 004437E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00454891,?,?,00000035,?), ref: 004437F4

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bebee6a8f8b769b683494c834f1351c9cfabf7554fb6c61eb2eed4dd5771d7f3
Instruction ID: 5fddbe5524a1e29c3592c1b810dae20f5b202e8c8052f59acc0ad249287dc94d
Opcode Fuzzy Hash: bebee6a8f8b769b683494c834f1351c9cfabf7554fb6c61eb2eed4dd5771d7f3
Instruction Fuzzy Hash: C6F055B06002282AF72017668C8DFEB7AAEEFC4B61F000176F509D2280D9A08944C6B5

Function 0043B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0043B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0043B270

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 46970234d027b186227cb39390756ebfd4112607aa8d9178f3f78b242ed81d25
Instruction ID: f412f1dfab10dcd09228d535d003149f5eeef013a39f0910deef2a8957908e50
Opcode Fuzzy Hash: 46970234d027b186227cb39390756ebfd4112607aa8d9178f3f78b242ed81d25
Instruction Fuzzy Hash: FDF01D7180428EABDB059FA1C806BBF7BB4FF08309F00905AF965A5192D7B986119F99

Function 004310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004311FC), ref: 004310D4
CloseHandle.KERNEL32(?,?,004311FC), ref: 004310E9

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6f4cd13605d09e117528c90bffaaf85dfdca7fc43d89dee9c34048242634945b
Instruction ID: ec463861ce68bbfacdb27e8266d3d066e7d1bd6dd17cad6735ed682ca37a03eb
Opcode Fuzzy Hash: 6f4cd13605d09e117528c90bffaaf85dfdca7fc43d89dee9c34048242634945b
Instruction Fuzzy Hash: 92E04F32008650AEE7262B52FC05E777BA9EB04310F10892EF4A5844B1DBA26C90DB54

Function 0040676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00406766,?,?,00000008,?,?,0040FEFE,00000000), ref: 00406998

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1f76f82fdc9a51a683bf9cd5aae8949f3d0c2afc9ffde279ac75af889a365249
Instruction ID: 9095716a8404243e0a4d5e34c8b6dd7694e624dab12be1f622bcbd0e6dfabed7
Opcode Fuzzy Hash: 1f76f82fdc9a51a683bf9cd5aae8949f3d0c2afc9ffde279ac75af889a365249
Instruction Fuzzy Hash: 3FB15C726106088FD714CF28C486B657BE0FF45364F26C669E89ADF2E1C339D9A2CB44

Function 003EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0042851F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ee46d1471ab524bb00ff04d3eec4dc0490d770abca1f2263f1a3cbbaf65f16ca
Instruction ID: f5d903aacebe7b07fd205c55df8eaa983ed9fc6713b6b89e3bd3d8b64a471606
Opcode Fuzzy Hash: ee46d1471ab524bb00ff04d3eec4dc0490d770abca1f2263f1a3cbbaf65f16ca
Instruction Fuzzy Hash: 23128071A00229DBCB15CF59D8816EEB7F5FF48310F14819AE849EB295EB349E81CF94

Function 0044EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0044EABD

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 8dfa8580efdc0333a98c7df0a0371ed863af0b3d866c5276dd73bbb94c9340d1
Instruction ID: a8aeb7ce62d3739b508a746d70b8de75a4209f9219ab813c1d9bd10254b3e17a
Opcode Fuzzy Hash: 8dfa8580efdc0333a98c7df0a0371ed863af0b3d866c5276dd73bbb94c9340d1
Instruction Fuzzy Hash: BCE01A322102059FD710EF5AE844E9AF7E9BF98760F008427FD49DB361DAB4A8418B95

Function 003F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003F03EE), ref: 003F09DA

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ff6b89f4371b0f96bedd6c93702fee972e9fe6495be47dc4ad76c9c1f327f57c
Instruction ID: 027efe626636c768a45a69ad33fbb68acdb36a05b4792bfad72dc456df1aaf89
Opcode Fuzzy Hash: ff6b89f4371b0f96bedd6c93702fee972e9fe6495be47dc4ad76c9c1f327f57c
Instruction Fuzzy Hash:

Function 003F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 003F798B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2281658e2a46dedb4f8a66a67d2f638d353dc2d9657e9f6c37d7bece53bf4a5a
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DE51646160C60D5BDF3B8A68895FBFF23999B12380F190509EB82CB782CB55DE02D352

Function 00442046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&J, xrefs: 00442053

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: 0&J
API String ID: 0-2398951208
Opcode ID: b6848a2b1a917673b1e2c5a86f28cc7c4b586c56e523f30929d21c252c7000f6
Instruction ID: 64bdc2650bacf19f5ab3ad19956e8a61afa4fbff08894fc5eb1de8af5aba7cf8
Opcode Fuzzy Hash: b6848a2b1a917673b1e2c5a86f28cc7c4b586c56e523f30929d21c252c7000f6
Instruction Fuzzy Hash: 9121E7322216118BD728CF79C92367E77E5A754310F14862EF4A7C37D0DE79A904DB84

Function 00406DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2434c5cec75268a39173a4cc5232a0a4591c87f41d6f95f1ceef860f984cbf
Instruction ID: 0c5ace4c84bee3f1df4b355993f84cd22cf43b8c0edba1d880b6615b9c77e02f
Opcode Fuzzy Hash: ba2434c5cec75268a39173a4cc5232a0a4591c87f41d6f95f1ceef860f984cbf
Instruction Fuzzy Hash: 5F322122D29F014DD7239634CD22336A289AFB73C5F15C737E81AB5AA6EB78D4C34109

Function 003ECC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c97fab4e209947a819892ae61eb685e9a7ed1d80bf11663d177d9fd5c60eb7
Instruction ID: a4379e4ee9582a4d1b94337fe198335cfe79f768c54507fa7b62d82b272c2966
Opcode Fuzzy Hash: 55c97fab4e209947a819892ae61eb685e9a7ed1d80bf11663d177d9fd5c60eb7
Instruction Fuzzy Hash: 3B321831B101B58BDF25CF29E4D0A7E77A1EB45300FA98667E4498B391D238DD83DB49

Function 003D7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bde0d6762e5f23d4f1ed873af975bf1d834e7df96baec71686f404b1b2022ec
Instruction ID: 8876ee539d5f3cde19456756b8d67948387ee012ba4fa9cbe87ed85c05aacddb
Opcode Fuzzy Hash: 8bde0d6762e5f23d4f1ed873af975bf1d834e7df96baec71686f404b1b2022ec
Instruction Fuzzy Hash: A322B071A00609DFDF15CF64D981AEEB7B5FF84300F10462AE816AB391E73AAD51CB54

Function 003D91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2610cc643355ccf38b7fb34577272b8193763210b2ff7e2dd44b8a7660a2663b
Instruction ID: c65772a70290f9a58aef1a1a356f326c7622277ec77d771e45ce1c3443fe12c1
Opcode Fuzzy Hash: 2610cc643355ccf38b7fb34577272b8193763210b2ff7e2dd44b8a7660a2663b
Instruction Fuzzy Hash: 0402D4B1E0020AEFDB05DF55D881BAEB7B5FF44300F10816AE8069B391EB75AE51CB85

Function 003F1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 40cd6f5ddbd2dc50b40784fe53d42e932e27551bcdad5d800851df442c80fa41
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 7B9186322080E78ADB2B463EA57403EFFF55A923A131B079DE5F2CA1C5FE24C954D620

Function 003F19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 2c8697e2e66b1d2a5de4120ada4342f64a053f386589ae6acbebab27ff7d1c3b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 6A9174722090E7CADB2F427AA57403EFFE55A923A231B079ED5F2CA5C1FE14C954D620

Function 003F7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d163a64a0a5cea4824ffd85a8848cf87c0102356955c8be1698dc01ccf4c9933
Instruction ID: 4df3e5826e594d715c808b9bc8ae072cc6273d0fbf44c519f7436098802f52ab
Opcode Fuzzy Hash: d163a64a0a5cea4824ffd85a8848cf87c0102356955c8be1698dc01ccf4c9933
Instruction Fuzzy Hash: 6D61673120C74E96EE3B9A2C8D96BBE2398DF42704F12091AEB43DF791DA519E42C355

Function 003F1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 8ed2cab454001a60a60c276ede02fa7b2b1c836073afacbe2fa0bea90baa5a10
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1181A5336080E789DB6F823A953443EFFE15A923A131B079DD5F6CB1C1EE64C558E660

Function 00452ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00452B30
DeleteObject.GDI32(00000000), ref: 00452B43
DestroyWindow.USER32 ref: 00452B52
GetDesktopWindow.USER32 ref: 00452B6D
GetWindowRect.USER32(00000000), ref: 00452B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00452CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00452CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00452CF8
GetClientRect.USER32(00000000,?), ref: 00452D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00452D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00452D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00452D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00452D80
GlobalLock.KERNEL32(00000000), ref: 00452D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00452D98
GlobalUnlock.KERNEL32(00000000), ref: 00452DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00452DA8
GlobalFree.KERNEL32(00000000), ref: 00452DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00452DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0046FC38,00000000), ref: 00452DDB
GlobalFree.KERNEL32(00000000), ref: 00452DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00452E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00452E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00452E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045303F

Strings

DISPLAY, xrefs: 00452EA2
AutoIt v3, xrefs: 00452CF2
static, xrefs: 00452D3A, 00452E91
, xrefs: 00452FC5

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3500dd6b2ade1f6e80a880a9c7c8dc62f841e84dcac6a2064095f742c30fe32c
Instruction ID: f810b0b9a9fab92703a013bd4bfd191a1e24967ef061b714b773bd491430d7ca
Opcode Fuzzy Hash: 3500dd6b2ade1f6e80a880a9c7c8dc62f841e84dcac6a2064095f742c30fe32c
Instruction Fuzzy Hash: FD02AF71500205EFDB14DF64DD89EAE7BB9EB4A311F00811AF915AB2A1D7B4ED04CF68

Function 004670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0046712F
GetSysColorBrush.USER32(0000000F), ref: 00467160
GetSysColor.USER32(0000000F), ref: 0046716C
SetBkColor.GDI32(?,000000FF), ref: 00467186
SelectObject.GDI32(?,?), ref: 00467195
InflateRect.USER32(?,000000FF,000000FF), ref: 004671C0
GetSysColor.USER32(00000010), ref: 004671C8
CreateSolidBrush.GDI32(00000000), ref: 004671CF
FrameRect.USER32(?,?,00000000), ref: 004671DE
DeleteObject.GDI32(00000000), ref: 004671E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00467230
FillRect.USER32(?,?,?), ref: 00467262
GetWindowLongW.USER32(?,000000F0), ref: 00467284

Part of subcall function 004673E8: GetSysColor.USER32(00000012), ref: 00467421
Part of subcall function 004673E8: SetTextColor.GDI32(?,?), ref: 00467425
Part of subcall function 004673E8: GetSysColorBrush.USER32(0000000F), ref: 0046743B
Part of subcall function 004673E8: GetSysColor.USER32(0000000F), ref: 00467446
Part of subcall function 004673E8: GetSysColor.USER32(00000011), ref: 00467463
Part of subcall function 004673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00467471
Part of subcall function 004673E8: SelectObject.GDI32(?,00000000), ref: 00467482
Part of subcall function 004673E8: SetBkColor.GDI32(?,00000000), ref: 0046748B
Part of subcall function 004673E8: SelectObject.GDI32(?,?), ref: 00467498
Part of subcall function 004673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004674B7
Part of subcall function 004673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004674CE
Part of subcall function 004673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004674DB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 84e83719440c9d10c392a1299d212152a0adf299bb1431898975bed87785206e
Instruction ID: d3a18c1412616b8ceabc6235a20b6caaa3a40976af1e1d0d587c8d8d2f2ac650
Opcode Fuzzy Hash: 84e83719440c9d10c392a1299d212152a0adf299bb1431898975bed87785206e
Instruction Fuzzy Hash: 79A19471008311BFD7019F60DC88E6B7BA9FB49324F100A2AF9A2961E1E779E945CF57

Function 003E8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 003E8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00426AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00426AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00426F43

Part of subcall function 003E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003E8BE8,?,00000000,?,?,?,?,003E8BBA,00000000,?), ref: 003E8FC5

SendMessageW.USER32(?,00001053), ref: 00426F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00426F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00426FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00426FB7

Strings

0, xrefs: 00426DCF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 4fa5c9b19217b4d3918ed1a099c9ea37dd87a8de261a1725f69c44a66513dfe0
Instruction ID: 372748c91be34c688ac8d1e2023f29c9524b305cf514b3d9ee0b5da840cadeef
Opcode Fuzzy Hash: 4fa5c9b19217b4d3918ed1a099c9ea37dd87a8de261a1725f69c44a66513dfe0
Instruction Fuzzy Hash: D212DF30600261DFCB26DF15E884BA6BBE5FB45300F96456AF489CB2A1CB35EC51CF99

Function 00452711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0045273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0045286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004528A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004528B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00452900
GetClientRect.USER32(00000000,?), ref: 0045290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00452955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00452964
GetStockObject.GDI32(00000011), ref: 00452974
SelectObject.GDI32(00000000,00000000), ref: 00452978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00452988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00452991
DeleteDC.GDI32(00000000), ref: 0045299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004529C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004529DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00452A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00452A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00452A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00452A77
GetStockObject.GDI32(00000011), ref: 00452A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00452A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00452A97

Strings

DISPLAY, xrefs: 0045295A
AutoIt v3, xrefs: 004528F8
static, xrefs: 0045294F, 00452A71
msctls_progress32, xrefs: 00452A13

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9c55181502e7a1a24ba7bf981023082cfc891777388bc222bc2d1d557592d618
Instruction ID: cbe065d30b1c13a1e2963364bc007c291203bcaf347b7cecd4e3435e2be084a6
Opcode Fuzzy Hash: 9c55181502e7a1a24ba7bf981023082cfc891777388bc222bc2d1d557592d618
Instruction Fuzzy Hash: 50B170B1A00215AFEB14DFA4DD85FAF7BA9EB09711F004116F914EB2A1D7B4ED40CB98

Function 00444ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00444AED
GetDriveTypeW.KERNEL32(?,0046CB68,?,\\.\,0046CC08), ref: 00444BCA
SetErrorMode.KERNEL32(00000000,0046CB68,?,\\.\,0046CC08), ref: 00444D36

Strings

USB, xrefs: 00444CB4
Removable, xrefs: 00444C10, 00444C15
FileBackedVirtual, xrefs: 00444CEC
Network, xrefs: 00444C02
SSA, xrefs: 00444CA6
1394, xrefs: 00444C9F
CDROM, xrefs: 00444BFB
ATAPI, xrefs: 00444C91
MMC, xrefs: 00444CDE
Unknown, xrefs: 00444BED, 00444C83
RAMDisk, xrefs: 00444BF4
\\.\, xrefs: 00444B3F
Fibre, xrefs: 00444CAD
iSCSI, xrefs: 00444CC2
RAID, xrefs: 00444CBB
ATA, xrefs: 00444C98
SCSI, xrefs: 00444C8A
PhysicalDrive, xrefs: 00444B76
SATA, xrefs: 00444CD0
Virtual, xrefs: 00444CE5
Fixed, xrefs: 00444C09
SSD, xrefs: 00444C4A
SAS, xrefs: 00444CC9

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 38c90f3ee8cdd26d1273a3bf5cc6ceace9bd775d57806437b3417a99f594c8f8
Instruction ID: dc817533e216805f98c6a943da561cb61822d25c59cfbd58aa0531c615b9677b
Opcode Fuzzy Hash: 38c90f3ee8cdd26d1273a3bf5cc6ceace9bd775d57806437b3417a99f594c8f8
Instruction Fuzzy Hash: 5A61B5307011059BEF04DF14D9C2B69BBA1EB84345B2A8127F806AB791DB3DED42DB5E

Function 004673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00467421
SetTextColor.GDI32(?,?), ref: 00467425
GetSysColorBrush.USER32(0000000F), ref: 0046743B
GetSysColor.USER32(0000000F), ref: 00467446
CreateSolidBrush.GDI32(?), ref: 0046744B
GetSysColor.USER32(00000011), ref: 00467463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00467471
SelectObject.GDI32(?,00000000), ref: 00467482
SetBkColor.GDI32(?,00000000), ref: 0046748B
SelectObject.GDI32(?,?), ref: 00467498
InflateRect.USER32(?,000000FF,000000FF), ref: 004674B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004674CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004674DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00467554
InflateRect.USER32(?,000000FD,000000FD), ref: 00467572
DrawFocusRect.USER32(?,?), ref: 0046757D
GetSysColor.USER32(00000011), ref: 0046758E
SetTextColor.GDI32(?,00000000), ref: 00467596
DrawTextW.USER32(?,004670F5,000000FF,?,00000000), ref: 004675A8
SelectObject.GDI32(?,?), ref: 004675BF
DeleteObject.GDI32(?), ref: 004675CA
SelectObject.GDI32(?,?), ref: 004675D0
DeleteObject.GDI32(?), ref: 004675D5
SetTextColor.GDI32(?,?), ref: 004675DB
SetBkColor.GDI32(?,?), ref: 004675E5

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 55d0318736b0772a1949b65653f3200c5e6c600fba70144629c60206c37a92f5
Instruction ID: 5f9819add917065c17b64733f817f7f96fdfbaae0f7fd08158243c25e175b628
Opcode Fuzzy Hash: 55d0318736b0772a1949b65653f3200c5e6c600fba70144629c60206c37a92f5
Instruction Fuzzy Hash: 5A615072900218BFDF019FA4DC89AEE7F79EB09320F114126F915AB2A1E7B49940CF95

Function 00460FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00461128
GetDesktopWindow.USER32 ref: 0046113D
GetWindowRect.USER32(00000000), ref: 00461144
GetWindowLongW.USER32(?,000000F0), ref: 00461199
DestroyWindow.USER32(?), ref: 004611B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004611ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0046121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00461232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00461245
IsWindowVisible.USER32(00000000), ref: 004612A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004612BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004612D0
GetWindowRect.USER32(00000000,?), ref: 004612E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0046130E
GetMonitorInfoW.USER32(00000000,?), ref: 00461328
CopyRect.USER32(?,?), ref: 0046133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004613AA

Strings

0, xrefs: 004610D3
tooltips_class32, xrefs: 004611E6
(, xrefs: 0046131B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e60b16767bae394e96cef67bf85ee590a0ef1ac08eb3a8973d719ec55d3d4e08
Instruction ID: 711f13c26a0242d7ab1c902bfbfbbe67d9e9e11fa9f64a723ad71dad4e2dd02c
Opcode Fuzzy Hash: e60b16767bae394e96cef67bf85ee590a0ef1ac08eb3a8973d719ec55d3d4e08
Instruction Fuzzy Hash: 89B19D71604341AFD700DF64D884B6BBBE4FF89300F04891AF99A9B261E775E844CB9A

Function 00460241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004602E5
_wcslen.LIBCMT ref: 0046031F
_wcslen.LIBCMT ref: 00460389
_wcslen.LIBCMT ref: 004603F1
_wcslen.LIBCMT ref: 00460475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004604C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00460504

Part of subcall function 003EF9F2: _wcslen.LIBCMT ref: 003EF9FD

Part of subcall function 0043223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00432258
Part of subcall function 0043223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0043228A

Strings

GETSUBITEMCOUNT, xrefs: 00460384, 0046039F
GETTEXT, xrefs: 004603EC, 00460407
FINDITEM, xrefs: 00460627
SELECT, xrefs: 00460548
SELECTCLEAR, xrefs: 0046052D
GETSELECTEDCOUNT, xrefs: 00460470, 0046048B
GETITEMCOUNT, xrefs: 00460316, 00460337
SELECTALL, xrefs: 00460515
SELECTINVERT, xrefs: 0046057E
DESELECT, xrefs: 0046059C
VIEWCHANGE, xrefs: 00460675
ISSELECTED, xrefs: 004604DD
GETSELECTED, xrefs: 004605E1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 39cc789392df8cb0eb6dfa50c6dba055ed8b5aaf809214642100aa71dc78891f
Instruction ID: e7c466bb66e1cf622bdd8359a7da85e2a5d06d04b8efd3a8334b8274659323d6
Opcode Fuzzy Hash: 39cc789392df8cb0eb6dfa50c6dba055ed8b5aaf809214642100aa71dc78891f
Instruction Fuzzy Hash: 5CE1A1322182019FCB14DF24D55093BB7E6BF88714F14496EF8969B3A1EB38ED45CB46

Function 003E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003E8968
GetSystemMetrics.USER32(00000007), ref: 003E8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003E899B
GetSystemMetrics.USER32(00000008), ref: 003E89A3
GetSystemMetrics.USER32(00000004), ref: 003E89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003E89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003E89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003E8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003E8A3C
GetClientRect.USER32(00000000,000000FF), ref: 003E8A5A
GetStockObject.GDI32(00000011), ref: 003E8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 003E8A81

Part of subcall function 003E912D: GetCursorPos.USER32(?), ref: 003E9141
Part of subcall function 003E912D: ScreenToClient.USER32(00000000,?), ref: 003E915E
Part of subcall function 003E912D: GetAsyncKeyState.USER32(00000001), ref: 003E9183
Part of subcall function 003E912D: GetAsyncKeyState.USER32(00000002), ref: 003E919D

SetTimer.USER32(00000000,00000000,00000028,003E90FC), ref: 003E8AA8

Strings

AutoIt v3 GUI, xrefs: 003E8A20

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7ae0a20a725736c299bc5c4482d8756c6ea498cc1e54d8c4019f16b36a279674
Instruction ID: b20795716da95d3131ad2f124155777d6a9cb70cd9af56402f61dcb032b9a98b
Opcode Fuzzy Hash: 7ae0a20a725736c299bc5c4482d8756c6ea498cc1e54d8c4019f16b36a279674
Instruction Fuzzy Hash: 4BB19F75A00219DFDB14DFA8DC85BAE3BB4FB48314F11422AFA15A72D0DB74A840CF59

Function 00430D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00431114
Part of subcall function 004310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 00431120
Part of subcall function 004310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 0043112F
Part of subcall function 004310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 00431136
Part of subcall function 004310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0043114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00430DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00430E29
GetLengthSid.ADVAPI32(?), ref: 00430E40
GetAce.ADVAPI32(?,00000000,?), ref: 00430E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00430E96
GetLengthSid.ADVAPI32(?), ref: 00430EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00430EB5
HeapAlloc.KERNEL32(00000000), ref: 00430EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00430EDD
CopySid.ADVAPI32(00000000), ref: 00430EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00430F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00430F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00430F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00430F6E
HeapFree.KERNEL32(00000000), ref: 00430F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00430F7E
HeapFree.KERNEL32(00000000), ref: 00430F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00430F8E
HeapFree.KERNEL32(00000000), ref: 00430F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00430FA1
HeapFree.KERNEL32(00000000), ref: 00430FA8

Part of subcall function 00431193: GetProcessHeap.KERNEL32(00000008,00430BB1,?,00000000,?,00430BB1,?), ref: 004311A1
Part of subcall function 00431193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00430BB1,?), ref: 004311A8
Part of subcall function 00431193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00430BB1,?), ref: 004311B7

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 13ee4b0a590dad0996b6d94d7b970a667fa2fe69c9aca2720cd7adc9ed2ddf77
Instruction ID: 56f480d9e527abe2a120747fba223e3a3a18923dc645cbf3dc5257e9878310a4
Opcode Fuzzy Hash: 13ee4b0a590dad0996b6d94d7b970a667fa2fe69c9aca2720cd7adc9ed2ddf77
Instruction Fuzzy Hash: ED715D7190020AABDF209FA4DC45BEFBBB8BF09310F044226F959A6291D7B5D905CF69

Function 0045C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0045C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0046CC08,00000000,?,00000000,?,?), ref: 0045C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0045C5A4
_wcslen.LIBCMT ref: 0045C5F4
_wcslen.LIBCMT ref: 0045C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0045C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0045C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0045C84D
RegCloseKey.ADVAPI32(?), ref: 0045C881
RegCloseKey.ADVAPI32(00000000), ref: 0045C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0045C960

Strings

REG_MULTI_SZ, xrefs: 0045C6F5
REG_DWORD, xrefs: 0045C804
REG_SZ, xrefs: 0045C644
REG_BINARY, xrefs: 0045C913
REG_QWORD, xrefs: 0045C8C3
REG_EXPAND_SZ, xrefs: 0045C5CD

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b362385b803b7b66100a589db145a79064584dacd83acc09a333777cc8653dea
Instruction ID: df215ba949579bb94c29d3c6d612f2c4f05a9b99b7c934bdfba6a63ed6721f95
Opcode Fuzzy Hash: b362385b803b7b66100a589db145a79064584dacd83acc09a333777cc8653dea
Instruction Fuzzy Hash: B81288352043019FCB15DF14D881A2AB7E5FF89715F04889EF88A9B3A2DB35ED45CB86

Function 0046091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004609C6
_wcslen.LIBCMT ref: 00460A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00460A54
_wcslen.LIBCMT ref: 00460A8A
_wcslen.LIBCMT ref: 00460B06
_wcslen.LIBCMT ref: 00460B81

Part of subcall function 003EF9F2: _wcslen.LIBCMT ref: 003EF9FD

Part of subcall function 00432BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00432BFA

Strings

ISCHECKED, xrefs: 00460CE1
GETTEXT, xrefs: 00460C97
COLLAPSE, xrefs: 00460B01, 00460B1C
SELECT, xrefs: 00460D11
CHECK, xrefs: 00460A85, 00460AA0
UNCHECK, xrefs: 00460D3E
EXISTS, xrefs: 00460B7C, 00460B97
EXPAND, xrefs: 00460BF8
GETSELECTED, xrefs: 00460C4E
GETTOTALCOUNT, xrefs: 004609F2, 00460A17
GETITEMCOUNT, xrefs: 00460C1E

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 66e1a5c2884fd078baf592b2448f119246e13bc063951856fca4be2e15c52ae4
Instruction ID: c4aab442cfa48343b4d3a6d81303a826103bdc6807247950cddbee961680e313
Opcode Fuzzy Hash: 66e1a5c2884fd078baf592b2448f119246e13bc063951856fca4be2e15c52ae4
Instruction Fuzzy Hash: 8DE190322083018FC714DF65C45092BB7E2BF98754F148A5EF8969B3A2E739ED45CB86

Function 0045C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0045B6AE,?,?), ref: 0045C9B5
_wcslen.LIBCMT ref: 0045C9F1
_wcslen.LIBCMT ref: 0045CA68
_wcslen.LIBCMT ref: 0045CA9E
_wcslen.LIBCMT ref: 0045CAF9
_wcslen.LIBCMT ref: 0045CB2F
_wcslen.LIBCMT ref: 0045CB7F

Strings

HKU, xrefs: 0045CBF0
HKEY_CURRENT_CONFIG, xrefs: 0045CB79, 0045CB7E
HKEY_CURRENT_USER, xrefs: 0045CBBD
HKCR, xrefs: 0045CB29, 0045CB2E
HKEY_USERS, xrefs: 0045CBDF
HKCU, xrefs: 0045CBCE
HKLM, xrefs: 0045CA98, 0045CA9D
HKEY_CLASSES_ROOT, xrefs: 0045CAF3, 0045CAF8
HKEY_LOCAL_MACHINE, xrefs: 0045CA62, 0045CA67
HKCC, xrefs: 0045CBAC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a2d55ded253ffec81e85c58eb71a8b7dd258577376e5c46bb2d7792daa76a9de
Instruction ID: 187b062a15347c76607355c05fdf770b6f9f70170517c4e1ac232a810cbd474a
Opcode Fuzzy Hash: a2d55ded253ffec81e85c58eb71a8b7dd258577376e5c46bb2d7792daa76a9de
Instruction Fuzzy Hash: 6871153360022A8FCF11DE68D9C16BF3791AB60751B14412BFC56AB386E778DD49C398

Function 0046833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046835A
_wcslen.LIBCMT ref: 0046836E
_wcslen.LIBCMT ref: 00468391
_wcslen.LIBCMT ref: 004683B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004683F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00465BF2), ref: 0046844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00468487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004684CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00468501
FreeLibrary.KERNEL32(?), ref: 0046850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0046851D
DestroyIcon.USER32(?,?,?,?,?,00465BF2), ref: 0046852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00468549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00468555

Strings

.icl, xrefs: 00468368
.exe, xrefs: 00468388
.dll, xrefs: 004683AB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: fc16a0c3e2eb704be2bfdb8ece494f9ef34a4b24d247f67d8e7b35f3291814ce
Instruction ID: c924236796317267e8d202fa395bc9529f8310bddfa9fbb9f4741d0c4b1f64b5
Opcode Fuzzy Hash: fc16a0c3e2eb704be2bfdb8ece494f9ef34a4b24d247f67d8e7b35f3291814ce
Instruction Fuzzy Hash: 73610371500219BAEB14DF64CC81BBF77A8FB04710F10421AF916DA2D1FFB8A980C7A5

Function 003D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00415153
#cs, xrefs: 003D7873, 003D78C5
#ce, xrefs: 003D78ED
#pragma compile, xrefs: 003D77D3
#requireadmin, xrefs: 003D77FF
#include, xrefs: 003D7847
#notrayicon, xrefs: 003D77E7
#OnAutoItStartRegister, xrefs: 003D7817
Cannot parse #include, xrefs: 00415279
Unterminated group of comments, xrefs: 0041528C
#comments-start, xrefs: 003D785F, 003D78B1
#comments-end, xrefs: 003D78D9
Bad directive syntax error, xrefs: 0041519A
#include-once, xrefs: 003D782F
', xrefs: 00415169

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1ac6702fb2dc245eddf4d3432450f2ea1ac17997b304d5ece3cb02979024e456
Instruction ID: 554d79c820d8afd333d963d1b931cb09850a31266a818ef907907f9b9f6b306b
Opcode Fuzzy Hash: 1ac6702fb2dc245eddf4d3432450f2ea1ac17997b304d5ece3cb02979024e456
Instruction Fuzzy Hash: FE81F672A00205BBDB12AF60EC42FFF3768AF55300F104427F909AE296FB75D941C695

Function 00435A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00435A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00435A40
SetWindowTextW.USER32(?,?), ref: 00435A57
GetDlgItem.USER32(?,000003EA), ref: 00435A6C
SetWindowTextW.USER32(00000000,?), ref: 00435A72
GetDlgItem.USER32(?,000003E9), ref: 00435A82
SetWindowTextW.USER32(00000000,?), ref: 00435A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00435AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00435AC3
GetWindowRect.USER32(?,?), ref: 00435ACC
_wcslen.LIBCMT ref: 00435B33
SetWindowTextW.USER32(?,?), ref: 00435B6F
GetDesktopWindow.USER32 ref: 00435B75
GetWindowRect.USER32(00000000), ref: 00435B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00435BD3
GetClientRect.USER32(?,?), ref: 00435BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00435C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00435C2F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: bed701163b5d3aa9997ece187007390d9f196d526edfb427aa7a47cca3ff0404
Instruction ID: 768d043f3fe99354a832753a4cd6cd1f486fb9957959b6a68b396fabd743788e
Opcode Fuzzy Hash: bed701163b5d3aa9997ece187007390d9f196d526edfb427aa7a47cca3ff0404
Instruction Fuzzy Hash: C9717F31900B05AFDB20DFA8CE85A6FBBF5FF48705F105529E582A26A0D779F940CB58

Function 004330F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043318D
_wcslen.LIBCMT ref: 004331F8

Strings

INSTANCE, xrefs: 00433453
NAME, xrefs: 00433335, 00433346
[I, xrefs: 0043339A
REGEXPCLASS, xrefs: 00433255, 00433266
TEXT, xrefs: 0043347C
CLASS, xrefs: 00433188, 004331A5
CLASSNN, xrefs: 004331F3, 00433204

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[I
API String ID: 176396367-4013862474
Opcode ID: 0ac1aa93286c756466e76ce3a98db8a49886407e2b1302ffb1d4d88ebea71c33
Instruction ID: 0b350968abf3388c174dbf5d84102a03e8e8c5c69e5e02fd6a60902705a4d88f
Opcode Fuzzy Hash: 0ac1aa93286c756466e76ce3a98db8a49886407e2b1302ffb1d4d88ebea71c33
Instruction Fuzzy Hash: B4E1E332A00516ABCF159FA8C4417FFBBB0BF18711F64912BE856A7340DB38AE858794

Function 003F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003F00C6

Part of subcall function 003F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004A070C,00000FA0,7BC092C8,?,?,?,?,004123B3,000000FF), ref: 003F011C
Part of subcall function 003F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004123B3,000000FF), ref: 003F0127
Part of subcall function 003F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004123B3,000000FF), ref: 003F0138
Part of subcall function 003F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003F014E
Part of subcall function 003F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003F015C
Part of subcall function 003F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003F016A
Part of subcall function 003F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003F0195
Part of subcall function 003F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003F01A0

___scrt_fastfail.LIBCMT ref: 003F00E7

Part of subcall function 003F00A3: __onexit.LIBCMT ref: 003F00A9

Strings

InitializeConditionVariable, xrefs: 003F0148
WakeAllConditionVariable, xrefs: 003F0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 003F0122
kernel32.dll, xrefs: 003F0133
SleepConditionVariableCS, xrefs: 003F0154

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 74e7ae0700cd8e3781661419ff4035caed312fb69cbb619533860d46d538570b
Instruction ID: ad1859bc6a2304524acf411028fcbf2bea19223988ec70d7c3fa6aaaf3fab3ca
Opcode Fuzzy Hash: 74e7ae0700cd8e3781661419ff4035caed312fb69cbb619533860d46d538570b
Instruction Fuzzy Hash: D3218E366043156FE7166BB8BC45B7A3394DB46B50F100137F941E72D2EFF4AC008A99

Function 004444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0046CC08), ref: 00444527
_wcslen.LIBCMT ref: 0044453B
_wcslen.LIBCMT ref: 00444599
_wcslen.LIBCMT ref: 004445F4
_wcslen.LIBCMT ref: 0044463F
_wcslen.LIBCMT ref: 004446A7

Part of subcall function 003EF9F2: _wcslen.LIBCMT ref: 003EF9FD

GetDriveTypeW.KERNEL32(?,00496BF0,00000061), ref: 00444743

Strings

cdrom, xrefs: 0044458F, 00444594
fixed, xrefs: 00444635, 0044463A
all, xrefs: 00444531, 00444536
removable, xrefs: 004445EA, 004445EF
network, xrefs: 0044469D, 004446A2
ramdisk, xrefs: 004446F1
unknown, xrefs: 00444708

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 5132cad60f9290e1ec808e60cb91b883e68f9cb931f2ae91353e4eda122bb4e3
Instruction ID: f46e7b2a6ac74a24d75d8003cd4f1a2e280fc577a9c7b3fc5022eedb8502cdb5
Opcode Fuzzy Hash: 5132cad60f9290e1ec808e60cb91b883e68f9cb931f2ae91353e4eda122bb4e3
Instruction Fuzzy Hash: 05B1FE316083029BD710DF28D890B6BB7E5BFE5720F50492EF596CB391E738D845CA96

Function 0046911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003E9BB2

DragQueryPoint.SHELL32(?,?), ref: 00469147

Part of subcall function 00467674: ClientToScreen.USER32(?,?), ref: 0046769A
Part of subcall function 00467674: GetWindowRect.USER32(?,?), ref: 00467710
Part of subcall function 00467674: PtInRect.USER32(?,?,00468B89), ref: 00467720

SendMessageW.USER32(?,000000B0,?,?), ref: 004691B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004691BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004691DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00469225
SendMessageW.USER32(?,000000B0,?,?), ref: 0046923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00469255
SendMessageW.USER32(?,000000B1,?,?), ref: 00469277
DragFinish.SHELL32(?), ref: 0046927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00469371

Strings

@GUI_DRAGID, xrefs: 004692E9
p#J, xrefs: 004692BB
@GUI_DROPID, xrefs: 0046929E
@GUI_DRAGFILE, xrefs: 00469320

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#J
API String ID: 221274066-3862987987
Opcode ID: 645a72105ec8e356b593260bef166280a0e6872db49b34a96738fbdb1bed6f7c
Instruction ID: fad172ca0584831ac11b899c3fec51f9e60f8891f3c0e93f72a8f368ff4234a6
Opcode Fuzzy Hash: 645a72105ec8e356b593260bef166280a0e6872db49b34a96738fbdb1bed6f7c
Instruction Fuzzy Hash: 12615D72108301AFC701DF54DC85EAFBBE8EF89750F00092EF595972A1EB749A49CB56

Function 003D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004A1990), ref: 00412F8D
GetMenuItemCount.USER32(004A1990), ref: 0041303D
GetCursorPos.USER32(?), ref: 00413081
SetForegroundWindow.USER32(00000000), ref: 0041308A
TrackPopupMenuEx.USER32(004A1990,00000000,?,00000000,00000000,00000000), ref: 0041309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004130A9

Strings

0, xrefs: 003D327D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 388e2d6f14ca280194b29b5c9cba13b0f4a0472f720f87d456e07406f639155a
Instruction ID: 6fc13b8b45a6bb06250875ac203e7846e9b54bac9bfafed93fbd220b1de8ec7d
Opcode Fuzzy Hash: 388e2d6f14ca280194b29b5c9cba13b0f4a0472f720f87d456e07406f639155a
Instruction Fuzzy Hash: FA710731640215BEEB218F25DD89FEABF64FF04324F204217F515AA2E0C7B5AD60DB99

Function 00466CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00466DEB

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00466E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00466E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00466E94
DestroyWindow.USER32(?), ref: 00466EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003D0000,00000000), ref: 00466EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00466EFD
GetDesktopWindow.USER32 ref: 00466F16
GetWindowRect.USER32(00000000), ref: 00466F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00466F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00466F4D

Part of subcall function 003E9944: GetWindowLongW.USER32(?,000000EB), ref: 003E9952

Strings

tooltips_class32, xrefs: 00466E58, 00466EDD
0, xrefs: 00466D98

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6c23ade686646e63054f05214a30fbce2cd26eada0fe013398b687e1fd93f02e
Instruction ID: 2e2f9b22c2c486feabf3566ca12232790ecf8c06629fcdb698cd487cdc81bf02
Opcode Fuzzy Hash: 6c23ade686646e63054f05214a30fbce2cd26eada0fe013398b687e1fd93f02e
Instruction Fuzzy Hash: 4A716774104241AFDB25CF18D884BBBBBE9FB99304F04042EF99987361E775AD16CB1A

Function 0044C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0044C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0044C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0044C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0044C5F0
InternetCloseHandle.WININET(00000000), ref: 0044C5FB

Strings

, xrefs: 0044C575

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 79d006b557940c92cc16ab36a172616e209daf752046fb9e5cf6cad2b7ab8b1f
Instruction ID: 097cd899fc3708af7d2ac850b43dc77148f1dae1364d9667c04b13fde29850b3
Opcode Fuzzy Hash: 79d006b557940c92cc16ab36a172616e209daf752046fb9e5cf6cad2b7ab8b1f
Instruction Fuzzy Hash: F25181B0501205BFEB619F61C9C8ABB7BFCFF08345F04442AF94596250EB78E944DB69

Function 0046856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00468592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004685A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004685AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004685BA
GlobalLock.KERNEL32(00000000), ref: 004685C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004685D7
GlobalUnlock.KERNEL32(00000000), ref: 004685E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004685E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004685F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0046FC38,?), ref: 00468611
GlobalFree.KERNEL32(00000000), ref: 00468621
GetObjectW.GDI32(?,00000018,?), ref: 00468641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00468671
DeleteObject.GDI32(?), ref: 00468699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004686AF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 762a8e5edfc381e7ba334684329a44788991fea8258595e53b495b5c25952b0f
Instruction ID: a5f2fbf1bccfcdd181b7c8247d492936cede987321494c5c8c97c5b3238966d3
Opcode Fuzzy Hash: 762a8e5edfc381e7ba334684329a44788991fea8258595e53b495b5c25952b0f
Instruction Fuzzy Hash: E3412C75600204BFDB119FA5CC88EAB7BB8FF89711F104169F945D7260EB749941CB2A

Function 004414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00441502
VariantCopy.OLEAUT32(?,?), ref: 0044150B
VariantClear.OLEAUT32(?), ref: 00441517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004415FB
VarR8FromDec.OLEAUT32(?,?), ref: 00441657
VariantInit.OLEAUT32(?), ref: 00441708
SysFreeString.OLEAUT32(?), ref: 0044178C
VariantClear.OLEAUT32(?), ref: 004417D8
VariantClear.OLEAUT32(?), ref: 004417E7
VariantInit.OLEAUT32(00000000), ref: 00441823

Strings

Default, xrefs: 004416AF
%4d%02d%02d%02d%02d%02d, xrefs: 00441625

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 4c38c68716aad366eb33155d9fec0701e8497afbe0994999e0a127bbd88aade0
Instruction ID: ab0d26f86831fbcf905a61e25f7c0d20ed22a08e1c31b80699271a50a91a5e54
Opcode Fuzzy Hash: 4c38c68716aad366eb33155d9fec0701e8497afbe0994999e0a127bbd88aade0
Instruction Fuzzy Hash: 86D1F431600119EBEB00AF65E885BBAB7B5BF45700F508157E446AF2A0DF78EC81DB66

Function 0045B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

Part of subcall function 0045C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0045B6AE,?,?), ref: 0045C9B5
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045C9F1
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045CA68
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0045B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0045B80A
RegCloseKey.ADVAPI32(?), ref: 0045B87E
RegCloseKey.ADVAPI32(?), ref: 0045B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0045B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0045B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0045B922
FreeLibrary.KERNEL32(00000000), ref: 0045B983
RegCloseKey.ADVAPI32(00000000), ref: 0045B994

Strings

advapi32.dll, xrefs: 0045B8ED
RegDeleteKeyExW, xrefs: 0045B8FE

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 536213d25db6cd1834da481ae64eefac4a23027f0f21b1d81b46e095c91a73c8
Instruction ID: 64007492d1b984f0a63086fb62f6c99d0023c40d272258e925aa17083d038be9
Opcode Fuzzy Hash: 536213d25db6cd1834da481ae64eefac4a23027f0f21b1d81b46e095c91a73c8
Instruction Fuzzy Hash: 20C17B35204201AFD711DF14C495F2ABBE5FF84308F14859EE89A8B3A2CB75EC49CB96

Function 0045255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004525D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004525E8
CreateCompatibleDC.GDI32(?), ref: 004525F4
SelectObject.GDI32(00000000,?), ref: 00452601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0045266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004526AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004526D0
SelectObject.GDI32(?,?), ref: 004526D8
DeleteObject.GDI32(?), ref: 004526E1
DeleteDC.GDI32(?), ref: 004526E8
ReleaseDC.USER32(00000000,?), ref: 004526F3

Strings

(, xrefs: 0045268D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f0a69030088b51772e20c09dd1bca168c20452b0f87f4112670c3b67ac949322
Instruction ID: 5a47f57da77f76204d38666c4e9d9f168079b8cc96b387ca1ba934c506ef903f
Opcode Fuzzy Hash: f0a69030088b51772e20c09dd1bca168c20452b0f87f4112670c3b67ac949322
Instruction Fuzzy Hash: E661F275D00219EFCF04CFA8D984AAEBBB5FF48310F20852AE955A7251E7B4A941CF94

Function 0040DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0040DAA1

Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D659
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D66B
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D67D
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D68F
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D6A1
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D6B3
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D6C5
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D6D7
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D6E9
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D6FB
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D70D
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D71F
Part of subcall function 0040D63C: _free.LIBCMT ref: 0040D731

_free.LIBCMT ref: 0040DA96

Part of subcall function 004029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000), ref: 004029DE
Part of subcall function 004029C8: GetLastError.KERNEL32(00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000,00000000), ref: 004029F0

_free.LIBCMT ref: 0040DAB8
_free.LIBCMT ref: 0040DACD
_free.LIBCMT ref: 0040DAD8
_free.LIBCMT ref: 0040DAFA
_free.LIBCMT ref: 0040DB0D
_free.LIBCMT ref: 0040DB1B
_free.LIBCMT ref: 0040DB26
_free.LIBCMT ref: 0040DB5E
_free.LIBCMT ref: 0040DB65
_free.LIBCMT ref: 0040DB82
_free.LIBCMT ref: 0040DB9A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a90281a1d0977743c4308874f33f7d10a3ea828427e0bf25d3e8dc484d3ea4ed
Instruction ID: e074bd7dafa67c9f21299c2f53de12cec83c0b52a454a2b57f3641906fadea96
Opcode Fuzzy Hash: a90281a1d0977743c4308874f33f7d10a3ea828427e0bf25d3e8dc484d3ea4ed
Instruction Fuzzy Hash: 83315BB1A042049FEB21AABAE945B5777E9FF00314F21443FE449E72D1DB79AC44CB28

Function 0043365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0043369C
_wcslen.LIBCMT ref: 004336A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00433797
GetClassNameW.USER32(?,?,00000400), ref: 0043380C
GetDlgCtrlID.USER32(?), ref: 0043385D
GetWindowRect.USER32(?,?), ref: 00433882
GetParent.USER32(?), ref: 004338A0
ScreenToClient.USER32(00000000), ref: 004338A7
GetClassNameW.USER32(?,?,00000100), ref: 00433921
GetWindowTextW.USER32(?,?,00000400), ref: 0043395D

Strings

%s%u, xrefs: 00433734

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: d7d03d0b1f163e8272d7cb76d12a43dd67e6424fbe02bc010f2b591726b0a207
Instruction ID: f9b3094562c36373b5c8d8a05d9cea272ab0b520b369f1e67ecccc6d05521107
Opcode Fuzzy Hash: d7d03d0b1f163e8272d7cb76d12a43dd67e6424fbe02bc010f2b591726b0a207
Instruction Fuzzy Hash: DA91E371200206EFD719DF24C885BBBF7A8FF48311F00962AF999C6290DB74EA45CB95

Function 00434954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00434994
GetWindowTextW.USER32(?,?,00000400), ref: 004349DA
_wcslen.LIBCMT ref: 004349EB
CharUpperBuffW.USER32(?,00000000), ref: 004349F7
_wcsstr.LIBVCRUNTIME ref: 00434A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00434A64
GetWindowTextW.USER32(?,?,00000400), ref: 00434A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00434AE6
GetClassNameW.USER32(?,?,00000400), ref: 00434B20
GetWindowRect.USER32(?,?), ref: 00434B8B

Strings

ThumbnailClass, xrefs: 00434A6F, 00434AF1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5a578b4fa322df00056127804198093fdeb73066b2c5c2c27433a876f60cc3ef
Instruction ID: d0351420d8d0ca71679685baf6d9244ded07be986facf32f65ceb89842f68f2c
Opcode Fuzzy Hash: 5a578b4fa322df00056127804198093fdeb73066b2c5c2c27433a876f60cc3ef
Instruction Fuzzy Hash: 1791BE711042059BDB05DF14C881BABB7E8FF88314F04946BFD859A295EB38FD45CBA9

Function 00468D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003E9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00468D5A
GetFocus.USER32 ref: 00468D6A
GetDlgCtrlID.USER32(00000000), ref: 00468D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00468E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00468ECF
GetMenuItemCount.USER32(?), ref: 00468EEC
GetMenuItemID.USER32(?,00000000), ref: 00468EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00468F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00468F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00468FA1

Strings

0, xrefs: 00468E9F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: eec92f2ee7b9224b9bc6bb623d864a5d8b1fa23f1dade8f4e5ab87941b75380d
Instruction ID: 53a5fe52f88ca8a24a9b503cb32be038371b70d001c3a49a83ee4e5ab4e675ee
Opcode Fuzzy Hash: eec92f2ee7b9224b9bc6bb623d864a5d8b1fa23f1dade8f4e5ab87941b75380d
Instruction Fuzzy Hash: 94819D71508311AFDB14CF14C884A6B7BE9FB88314F040A2EF985D7291EB75D901CB6B

Function 0043DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0043DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0043DC46
_wcslen.LIBCMT ref: 0043DC50
_wcsstr.LIBVCRUNTIME ref: 0043DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0043DCBC

Strings

DefaultLangCodepage, xrefs: 0043DD1F
StringFileInfo\, xrefs: 0043DC8F
04090000, xrefs: 0043DCF2
%u.%u.%u.%u, xrefs: 0043DD9A
\VarFileInfo\Translation, xrefs: 0043DCB4

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 72e59c8b77774b2ba56790934daa67fe9dcda4fe3267e55850d5d803e6773cbc
Instruction ID: 95f69fd3d82087967aee06a7653ca776763dde4e3e28d8c36ce608c0fe77cdc9
Opcode Fuzzy Hash: 72e59c8b77774b2ba56790934daa67fe9dcda4fe3267e55850d5d803e6773cbc
Instruction Fuzzy Hash: 47413B329402157ADB06B775AC43FBF776CEF49710F10007BFA00AA182FB79A90187A9

Function 0045CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0045CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0045CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0045CD48

Part of subcall function 0045CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0045CCAA
Part of subcall function 0045CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0045CCBD
Part of subcall function 0045CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0045CCCF
Part of subcall function 0045CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0045CD05
Part of subcall function 0045CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0045CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0045CCF3

Strings

advapi32.dll, xrefs: 0045CCB8
RegDeleteKeyExW, xrefs: 0045CCC9

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: ef58540ec5b1cdc3b3d77e0474b7e096ae16ca773f7effb17c23024b9d27db9a
Instruction ID: e7f74f1427adedb248195232770a7d8b7de0048120906facacc0b05b82e48795
Opcode Fuzzy Hash: ef58540ec5b1cdc3b3d77e0474b7e096ae16ca773f7effb17c23024b9d27db9a
Instruction Fuzzy Hash: 16318271901218BFDB219B90DCC8EFFBB7CEF05741F000176E905E2241E6B89A499AA9

Function 0043E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0043E6B4

Part of subcall function 003EE551: timeGetTime.WINMM(?,?,0043E6D4), ref: 003EE555

Sleep.KERNEL32(0000000A), ref: 0043E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0043E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0043E727
SetActiveWindow.USER32 ref: 0043E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0043E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0043E773
Sleep.KERNEL32(000000FA), ref: 0043E77E
IsWindow.USER32 ref: 0043E78A
EndDialog.USER32(00000000), ref: 0043E79B

Strings

BUTTON, xrefs: 0043E719

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 6ba6336a60cf052a5d6444627a65a477653b609b2dda7f514d098676b7b42fa4
Instruction ID: 596f097bfe152623a7b2c3e8dc4e97de4024309e7f6bb7cdbff50a9577170f4c
Opcode Fuzzy Hash: 6ba6336a60cf052a5d6444627a65a477653b609b2dda7f514d098676b7b42fa4
Instruction Fuzzy Hash: C9219570242201AFEB006F66EDD9A363F69E75A359F102436F451926F1EBF59C00AB2D

Function 0043E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0043EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0043EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0043EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0043EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0043EAA7

Strings

close PlayMe, xrefs: 0043EA6E, 0043EA9B
play PlayMe wait, xrefs: 0043EA91
alias PlayMe, xrefs: 0043EA36
play PlayMe, xrefs: 0043EAA2
status PlayMe mode, xrefs: 0043EA58
open , xrefs: 0043EA0C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4246fa07c4a46d2678fbc2d89f266bd447e39a58ebb3db85cda29539789582b2
Instruction ID: eb90d5585ac9b807df1074eb7e6a0c622c0d885cfcc3bcb5fbf47557852fcbeb
Opcode Fuzzy Hash: 4246fa07c4a46d2678fbc2d89f266bd447e39a58ebb3db85cda29539789582b2
Instruction Fuzzy Hash: AA11C171A9026979DB21B3A2EC4AFFF6E7CEBC1B00F10043BB801A61D0EAB40D04C5B4

Function 003E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 003E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003E8BE8,?,00000000,?,?,?,?,003E8BBA,00000000,?), ref: 003E8FC5

DestroyWindow.USER32(?), ref: 003E8C81
KillTimer.USER32(00000000,?,?,?,?,003E8BBA,00000000,?), ref: 003E8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00426973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,003E8BBA,00000000,?), ref: 004269A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,003E8BBA,00000000,?), ref: 004269B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,003E8BBA,00000000), ref: 004269D4
DeleteObject.GDI32(00000000), ref: 004269E6

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c5433c11531f2598a0c986f452edc55cd64fc8457d547867989069a1ed1f2c58
Instruction ID: a76f52781045eb22c72164d05c4c428181d4a6cf2411e95f094ffdd7b19f1bac
Opcode Fuzzy Hash: c5433c11531f2598a0c986f452edc55cd64fc8457d547867989069a1ed1f2c58
Instruction Fuzzy Hash: 5361D570902760DFCB229F16D948726BBF5FB42312F51462EE0465BAB0CB75AC80CF99

Function 003E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 003E9944: GetWindowLongW.USER32(?,000000EB), ref: 003E9952

GetSysColor.USER32(0000000F), ref: 003E9862

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6347b463d5d97cd196da6fca6ec5b26e1efdf811a329b20fa33cc38ec807db94
Instruction ID: a3deded88b7d4a2340f13a962616d5a3356474ae1f14e1203d53eea550a2ad79
Opcode Fuzzy Hash: 6347b463d5d97cd196da6fca6ec5b26e1efdf811a329b20fa33cc38ec807db94
Instruction Fuzzy Hash: 2F41C4311046A0AFDB215F399C84BBA3BA9AB17330F154716F9E28B2F2D7709C41DB16

Function 00408D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.?, xrefs: 0040903A, 00408FD0, 00408FF2

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: .?
API String ID: 0-532706291
Opcode ID: 2c27f84472046b02f80f937a611b3d71960fce4cf7211fbfce2579c02a3ec11d
Instruction ID: 1316cfd8904b121691bf05aae5585be67d191bb816f4851484ab4fd6881dcc52
Opcode Fuzzy Hash: 2c27f84472046b02f80f937a611b3d71960fce4cf7211fbfce2579c02a3ec11d
Instruction Fuzzy Hash: 87C1E3B4904249AFDB11DFA8C841BAEBBB0AF49310F14417AF954BB3D2C7789D41CB69

Function 004396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0041F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00439717
LoadStringW.USER32(00000000,?,0041F7F8,00000001), ref: 00439720

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0041F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00439742
LoadStringW.USER32(00000000,?,0041F7F8,00000001), ref: 00439745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00439866

Strings

Line %d:, xrefs: 004397A0
Line %d (File "%s"):, xrefs: 0043978F
^ ERROR, xrefs: 004397FB
%s (%d) : ==> %s: %s %s, xrefs: 0043984A
Error: , xrefs: 0043981D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ce56a9afac7bd32d8288e63afd6eb433fd32148414203b0946e9cfb8989ae8ea
Instruction ID: f1f1b80b3c7694d9e005a4250ab9b94264d2762ca2405b2f42b943352944e584
Opcode Fuzzy Hash: ce56a9afac7bd32d8288e63afd6eb433fd32148414203b0946e9cfb8989ae8ea
Instruction Fuzzy Hash: 49416172900219AADF06FBE0EE82EEE7778AF55344F100067F50176192EB756F48CB65

Function 004306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004307A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004307BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004307DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00430804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0043082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00430837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0043083C

Strings

SOFTWARE\Classes\, xrefs: 0043070E
\CLSID, xrefs: 00430724
\IPC$, xrefs: 00430784

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 3757c058656b8cecd3411e4ab6109d261ac8924fe2d21fcc5d4ac0b4ea0e488a
Instruction ID: a14079687a5904e5b08a94bc882428a6a34f94218c4689e9e39d84d7ee31b208
Opcode Fuzzy Hash: 3757c058656b8cecd3411e4ab6109d261ac8924fe2d21fcc5d4ac0b4ea0e488a
Instruction Fuzzy Hash: 69412A76D00228ABDF16EB94EC95DEEB778FF04340F144166F901A7260EB749E04CB90

Function 00453C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00453C5C
CoInitialize.OLE32(00000000), ref: 00453C8A
CoUninitialize.OLE32 ref: 00453C94
_wcslen.LIBCMT ref: 00453D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00453DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00453ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00453F0E
CoGetObject.OLE32(?,00000000,0046FB98,?), ref: 00453F2D
SetErrorMode.KERNEL32(00000000), ref: 00453F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00453FC4
VariantClear.OLEAUT32(?), ref: 00453FD8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 19192387462ed6706f1f537323f6999ee0a8a0e2248f02b4c6d294cdfe4b3ce2
Instruction ID: 422465c3d8a7c19426c8e7215bb231e8d9a8f52ec04c08abd519700b46f5ef71
Opcode Fuzzy Hash: 19192387462ed6706f1f537323f6999ee0a8a0e2248f02b4c6d294cdfe4b3ce2
Instruction Fuzzy Hash: 41C147726082059FC700DF64C88492BB7F9FF8978AF00495EF98A9B211D775EE09CB56

Function 00447A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00447AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00447B8F
SHGetDesktopFolder.SHELL32(?), ref: 00447BA3
CoCreateInstance.OLE32(0046FD08,00000000,00000001,00496E6C,?), ref: 00447BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00447C74
CoTaskMemFree.OLE32(?,?), ref: 00447CCC
SHBrowseForFolderW.SHELL32(?), ref: 00447D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00447D7A
CoTaskMemFree.OLE32(00000000), ref: 00447D81
CoTaskMemFree.OLE32(00000000), ref: 00447DD6
CoUninitialize.OLE32 ref: 00447DDC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ae641fb0b13a5b9d6cdebb3b6352729e92409f0af08a0f9a56a87487593be523
Instruction ID: d060ea4a6e1f452cd30e470f6bc5b924654600e8ae499c7ecfe73164545fdafc
Opcode Fuzzy Hash: ae641fb0b13a5b9d6cdebb3b6352729e92409f0af08a0f9a56a87487593be523
Instruction Fuzzy Hash: 3FC15D75A04105AFDB10DF64D884DAEBBF9FF48304B1484AAE819DB361D734ED42CB94

Function 0046541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00465504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00465515
CharNextW.USER32(00000158), ref: 00465544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00465585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0046559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004655AC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5aeda2113714e8d27dcca35aaf5d94e47a8992fbac74279206f47bad9320c2a6
Instruction ID: 257c5c232cde98eb0fcc20e962be087428c59fc492e8406ca20d513d7edeb196
Opcode Fuzzy Hash: 5aeda2113714e8d27dcca35aaf5d94e47a8992fbac74279206f47bad9320c2a6
Instruction Fuzzy Hash: 1D61B070900609BFDF10DF64CC84AFF3BB9EB05724F10415AF565A7290EB788A85DB6A

Function 0042FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0042FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0042FB08
VariantInit.OLEAUT32(?), ref: 0042FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0042FB3A
VariantCopy.OLEAUT32(?,?), ref: 0042FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0042FBA1
VariantClear.OLEAUT32(?), ref: 0042FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0042FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0042FBCC
VariantClear.OLEAUT32(?), ref: 0042FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0042FBE9

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d75fdd8391bcb6044642b8f0f1af568f23c0fb25de4846d68bea88b14e56cd9d
Instruction ID: ba960abe9e14a180938bc8ca0caad33231a0e9f89986157487d6a7811966c942
Opcode Fuzzy Hash: d75fdd8391bcb6044642b8f0f1af568f23c0fb25de4846d68bea88b14e56cd9d
Instruction Fuzzy Hash: A5416235A002199FCF00DF64D8949BEBBB9FF48344F80807AE945AB261DB74E945CFA5

Function 00439C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00439CA1
GetAsyncKeyState.USER32(000000A0), ref: 00439D22
GetKeyState.USER32(000000A0), ref: 00439D3D
GetAsyncKeyState.USER32(000000A1), ref: 00439D57
GetKeyState.USER32(000000A1), ref: 00439D6C
GetAsyncKeyState.USER32(00000011), ref: 00439D84
GetKeyState.USER32(00000011), ref: 00439D96
GetAsyncKeyState.USER32(00000012), ref: 00439DAE
GetKeyState.USER32(00000012), ref: 00439DC0
GetAsyncKeyState.USER32(0000005B), ref: 00439DD8
GetKeyState.USER32(0000005B), ref: 00439DEA

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 91a89c4323071e9b7a15dcef0151b1c75ef4cecface302efa33081ab7f2b3ba8
Instruction ID: 72d95341d84849faa76b66e94c8a55568b4c3afd7f93f77c5e8f1e76843e7a5f
Opcode Fuzzy Hash: 91a89c4323071e9b7a15dcef0151b1c75ef4cecface302efa33081ab7f2b3ba8
Instruction Fuzzy Hash: 9A41C7345047CA69FF30966488453B7BEA06F19344F08A05BD6C7567C2EBE89DC4CB9A

Function 0045055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004505BC
inet_addr.WSOCK32(?), ref: 0045061C
gethostbyname.WSOCK32(?), ref: 00450628
IcmpCreateFile.IPHLPAPI ref: 00450636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004506C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004506E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004507B9
WSACleanup.WSOCK32 ref: 004507BF

Strings

Ping, xrefs: 00450676

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 70bc159b291f20e692cc3ac3637024c9ea1974171e4e654762627e0610a3e903
Instruction ID: 5d35e0bd6736456ed0aa445e4fed73391775cb11bda08fb9643e7d75b67acb78
Opcode Fuzzy Hash: 70bc159b291f20e692cc3ac3637024c9ea1974171e4e654762627e0610a3e903
Instruction Fuzzy Hash: E2919F795042019FD320DF15D488F1ABBE0AF48319F1485AAF8698F7A2D774ED49CF86

Function 00458CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00458CF3

Part of subcall function 00438E54: _wcslen.LIBCMT ref: 00438E77

_wcslen.LIBCMT ref: 00458D4E
_wcslen.LIBCMT ref: 00458D9C
_wcslen.LIBCMT ref: 00458DDC
_wcslen.LIBCMT ref: 00458E6E

Strings

none, xrefs: 00458E65, 00458E6A
stdcall, xrefs: 00458DD6, 00458DDB
cdecl, xrefs: 00458D48, 00458D4D
winapi, xrefs: 00458D96, 00458D9B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 10fbac488163d5dfcc24c393afb4e1ce281154ea6d3e79c26a9f39a71d9cc165
Instruction ID: 752cdc2e2184379ffb6ff46ffba1f74f72e8c660c6bc7d86e6763967600410db
Opcode Fuzzy Hash: 10fbac488163d5dfcc24c393afb4e1ce281154ea6d3e79c26a9f39a71d9cc165
Instruction Fuzzy Hash: C551A032A001169BCB14DF68C9419BFB7B1AF64725B20422EE866F7382DF39DD49C794

Function 0045372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00453774
CoUninitialize.OLE32 ref: 0045377F
CoCreateInstance.OLE32(?,00000000,00000017,0046FB78,?), ref: 004537D9
IIDFromString.OLE32(?,?), ref: 0045384C
VariantInit.OLEAUT32(?), ref: 004538E4
VariantClear.OLEAUT32(?), ref: 00453936

Strings

Failed to create object, xrefs: 004537E4, 0045389A
Invalid parameter, xrefs: 00453865
NULL Pointer assignment, xrefs: 0045381E

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 505a14bd3a85e43e6ce63857d80e0ca1fb910dc817fe19cee4371df88cfc5cbe
Instruction ID: d24fe4b1db39daf6e587c5b4f65b19a84573ee8dcbe2a60d851973960eda9242
Opcode Fuzzy Hash: 505a14bd3a85e43e6ce63857d80e0ca1fb910dc817fe19cee4371df88cfc5cbe
Instruction Fuzzy Hash: F361D070608301AFD311EF55C884B6ABBE4EF48746F10491EF8819B392D774EE48CB9A

Function 00448195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00448257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00448267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00448273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00448310
SetCurrentDirectoryW.KERNEL32(?), ref: 00448324
SetCurrentDirectoryW.KERNEL32(?), ref: 00448356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0044838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00448395

Strings

*.*, xrefs: 0044839B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c0df49adfc6bcab53e045ae1403009e2a9bf5041bbda7867c96d016b0ac0c10a
Instruction ID: b8cad3f25ad8643ec0976e0e2b858835182e2fe732016ff096d6097f9b0f1d26
Opcode Fuzzy Hash: c0df49adfc6bcab53e045ae1403009e2a9bf5041bbda7867c96d016b0ac0c10a
Instruction Fuzzy Hash: A16178725043059FDB10EF60D8809AFB3E8FF89314F04896EF98987251EB35E945CB96

Function 00468B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003E9BB2

Part of subcall function 003E912D: GetCursorPos.USER32(?), ref: 003E9141
Part of subcall function 003E912D: ScreenToClient.USER32(00000000,?), ref: 003E915E
Part of subcall function 003E912D: GetAsyncKeyState.USER32(00000001), ref: 003E9183
Part of subcall function 003E912D: GetAsyncKeyState.USER32(00000002), ref: 003E919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00468B6B
ImageList_EndDrag.COMCTL32 ref: 00468B71
ReleaseCapture.USER32 ref: 00468B77
SetWindowTextW.USER32(?,00000000), ref: 00468C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00468C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00468CFF

Strings

p#J, xrefs: 00468C71
@GUI_DROPID, xrefs: 00468C51
@GUI_DRAGFILE, xrefs: 00468C9A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#J
API String ID: 1924731296-3935208611
Opcode ID: 3516c65a7f91cf354c62989070c1498723b1fb493d4ece64ea7d5608ef5f80ea
Instruction ID: 5641c369cd6f37253e8e2ba14f6af11535f8a7da51c03376e0a1962752685f65
Opcode Fuzzy Hash: 3516c65a7f91cf354c62989070c1498723b1fb493d4ece64ea7d5608ef5f80ea
Instruction Fuzzy Hash: F4518C75104304AFD700EF14DC95FAA77E4FB88714F00062EF9969B2E1DB749904CB6A

Function 00443388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004433CF

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004433F0

Strings

Incorrect parameters to object property !, xrefs: 004434AB
Line %d (File "%s"):, xrefs: 00443443, 0044345C
^ ERROR , xrefs: 0044349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00443504
"%s" (%d) : ==> %s:, xrefs: 00443522
Error: , xrefs: 004434D1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: b3df72b346f56e9073e535f5684cdc776fb44a6f013cf7795cbf8806ff09d552
Instruction ID: 22a46d9430f50a509e79d669c63ede8fda8966c718c05ac36680224bc5d36f6e
Opcode Fuzzy Hash: b3df72b346f56e9073e535f5684cdc776fb44a6f013cf7795cbf8806ff09d552
Instruction Fuzzy Hash: AD51B232900109BAEF16EBE0DD42EEEB778AF04744F204067F405762A1EB752F58DB65

Function 0043B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0043B5FC
_wcslen.LIBCMT ref: 0043B608
_wcslen.LIBCMT ref: 0043B64D
_wcslen.LIBCMT ref: 0043B68C
_wcslen.LIBCMT ref: 0043B6C7

Strings

REMOVE, xrefs: 0043B602, 0043B607
KEYS, xrefs: 0043B647, 0043B64C
APPEND, xrefs: 0043B6C1, 0043B6C6
EXISTS, xrefs: 0043B686, 0043B68B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d278c56848a3157addea030f7b9f1b68d99c1c62934ffd8cd4a8432e25799609
Instruction ID: e344b6ce6a35eae7c19ed9f4bad11f199d1f077fbcec95147f4b88f1365b267c
Opcode Fuzzy Hash: d278c56848a3157addea030f7b9f1b68d99c1c62934ffd8cd4a8432e25799609
Instruction Fuzzy Hash: 3A411732A001268BCB105F7DC8916BF77A5EBA8754F24512BE621DB385E739CC81C3D5

Function 00445393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004453A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00445416
GetLastError.KERNEL32 ref: 00445420
SetErrorMode.KERNEL32(00000000,READY), ref: 004454A7

Strings

UNKNOWN, xrefs: 00445444
READY, xrefs: 00445460, 00445468
INVALID, xrefs: 00445459
READONLY, xrefs: 00445452
NOTREADY, xrefs: 0044544B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a3b82cb3c0024a87694a3cb3497bc183a8c5f826c5f74e8c989d834bfce6da50
Instruction ID: 7cc7e25c1f5f6046d300e8624611ab8df5ee5e00652e6ba885b08dba7cef295b
Opcode Fuzzy Hash: a3b82cb3c0024a87694a3cb3497bc183a8c5f826c5f74e8c989d834bfce6da50
Instruction Fuzzy Hash: 90319F35A005049FEF11DF68D484BAABBB4EB05305F14806BE405CF392EB79DD86CB95

Function 00463C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00463C79
SetMenu.USER32(?,00000000), ref: 00463C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00463D10
IsMenu.USER32(?), ref: 00463D24
CreatePopupMenu.USER32 ref: 00463D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00463D5B
DrawMenuBar.USER32 ref: 00463D63

Strings

F, xrefs: 00463D4E
0, xrefs: 00463C54

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: acb26d4e10a57ce3860757da4fda3b4b3c411c5589ce985839925af39666560a
Instruction ID: c8723f138eb06ba17f3f48e031b447e476e2e588a99f449edb3fa37dd8585539
Opcode Fuzzy Hash: acb26d4e10a57ce3860757da4fda3b4b3c411c5589ce985839925af39666560a
Instruction Fuzzy Hash: C6419C79A01209EFDB14CF64DC84EAA7BB5FF49341F14002AF94697360E774AA10CF9A

Function 00463A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00463A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00463AA0
GetWindowLongW.USER32(?,000000F0), ref: 00463AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00463AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00463B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00463BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00463BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00463BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00463BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00463C13

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5ac0025c75f7a9c78c3f5dfa36e9414a8837ddbcdc93594e8f28f3d79599996b
Instruction ID: 9f083af513187f39f1d4c43fe952537c88870d0839d5fcd0b3fc6d2eb458b448
Opcode Fuzzy Hash: 5ac0025c75f7a9c78c3f5dfa36e9414a8837ddbcdc93594e8f28f3d79599996b
Instruction Fuzzy Hash: D4617D75900248AFDB10DF64CC81EEE77B8EF09704F1001AAFA15AB3A2D774AE45DB55

Function 0043B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0043A1E1,?,00000001), ref: 0043B165
GetWindowThreadProcessId.USER32(00000000), ref: 0043B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0043A1E1,?,00000001), ref: 0043B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0043A1E1,?,00000001), ref: 0043B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0043A1E1,?,00000001), ref: 0043B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0043A1E1,?,00000001), ref: 0043B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0043A1E1,?,00000001), ref: 0043B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0043A1E1,?,00000001), ref: 0043B21D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 16d4997ff5aaa11eaf395e6e29b49ed117988c5385346c6ce597de556c8860cd
Instruction ID: 2665b9bbfc0ad2605a72bfec2bf8a247f526ae0237e30931d0c2d7118926eb8a
Opcode Fuzzy Hash: 16d4997ff5aaa11eaf395e6e29b49ed117988c5385346c6ce597de556c8860cd
Instruction Fuzzy Hash: A631E171100204BFEB109F64DC89B7F7BA9FB5A356F105126FA11C6390E7B89A008FAD

Function 00402C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00402C94

Part of subcall function 004029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000), ref: 004029DE
Part of subcall function 004029C8: GetLastError.KERNEL32(00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000,00000000), ref: 004029F0

_free.LIBCMT ref: 00402CA0
_free.LIBCMT ref: 00402CAB
_free.LIBCMT ref: 00402CB6
_free.LIBCMT ref: 00402CC1
_free.LIBCMT ref: 00402CCC
_free.LIBCMT ref: 00402CD7
_free.LIBCMT ref: 00402CE2
_free.LIBCMT ref: 00402CED
_free.LIBCMT ref: 00402CFB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4a0048c8973ddb0f887afdb86a4d4abf265fb3aa5f409923ac2d6a4b7526fcfd
Instruction ID: 704d1771243af4ca9fa480cc71a94c6fa856ac2f0156f49b2dfd408b7121dc8e
Opcode Fuzzy Hash: 4a0048c8973ddb0f887afdb86a4d4abf265fb3aa5f409923ac2d6a4b7526fcfd
Instruction Fuzzy Hash: 781107B6210008AFCB02EF55DA46CDD3BA9FF05344F5040AAFA486F2A2D675EE509B94

Function 003D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003D5C7A

Part of subcall function 003D5D0A: GetClientRect.USER32(?,?), ref: 003D5D30
Part of subcall function 003D5D0A: GetWindowRect.USER32(?,?), ref: 003D5D71
Part of subcall function 003D5D0A: ScreenToClient.USER32(?,?), ref: 003D5D99

GetDC.USER32 ref: 004146F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00414708
SelectObject.GDI32(00000000,00000000), ref: 00414716
SelectObject.GDI32(00000000,00000000), ref: 0041472B
ReleaseDC.USER32(?,00000000), ref: 00414733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004147C4

Strings

U, xrefs: 00414693

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3e7b94d31ec232caaf9a424e290744644d3a1c35fd4260c017d4c12467af74ab
Instruction ID: d9dc13f643a3b44015573951e0b946ae86eb9c6d95f4669758d5a9b89b979074
Opcode Fuzzy Hash: 3e7b94d31ec232caaf9a424e290744644d3a1c35fd4260c017d4c12467af74ab
Instruction Fuzzy Hash: 5E710131500205DFCF228F64C984AFA3BB5FF8A325F14026BED655A3A6C3388881DF65

Function 0044359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004435E4

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

LoadStringW.USER32(004A2390,?,00000FFF,?), ref: 0044360A

Strings

Line %d (File "%s"):, xrefs: 0044366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00443724
^ ERROR, xrefs: 004436C9
"%s" (%d) : ==> %s:, xrefs: 00443742
Error: , xrefs: 004436EF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 618a13031ed0d82dfb0b5083f8084c6d0caeea4449cccda19e3139a71ef614c0
Instruction ID: bdf696c4fb616a2f56ada6b00652caa63d7b0566702d12b1fb039e491e28b963
Opcode Fuzzy Hash: 618a13031ed0d82dfb0b5083f8084c6d0caeea4449cccda19e3139a71ef614c0
Instruction Fuzzy Hash: BE519372900109BADF16EFA0DC42EEEBB34AF04705F144127F505762A1EB741A95DF69

Function 0044C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044C2CA
GetLastError.KERNEL32 ref: 0044C322
SetEvent.KERNEL32(?), ref: 0044C336
InternetCloseHandle.WININET(00000000), ref: 0044C341

Strings

, xrefs: 0044C2BB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ed091b6f3e3b2adb773decdfa7129ee31dbcf978ae0b5d9f7625f8b345d671cd
Instruction ID: a2fe5982bcd2576a8a396ba69915b97026d247fab450b74653c9a8d372e6786e
Opcode Fuzzy Hash: ed091b6f3e3b2adb773decdfa7129ee31dbcf978ae0b5d9f7625f8b345d671cd
Instruction Fuzzy Hash: 1F31B171601204AFE7619FA58CC4A7B7BFCEB09744B18852FF88692200EB78DD059B69

Function 0043989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00413AAF,?,?,Bad directive syntax error,0046CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004398BC
LoadStringW.USER32(00000000,?,00413AAF,?), ref: 004398C3

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00439987

Strings

., xrefs: 0043996D
Line %d:, xrefs: 00439912
Error: , xrefs: 00439955
Line %d (File "%s"):, xrefs: 0043992D
%s (%d) : ==> %s.: %s %s, xrefs: 004398F1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 782297ee0e29b4440ee9a59f83403ddad03d579ae9d5f217bb9cdbeb00f3241e
Instruction ID: 19e2d0ea86e00cc0200a7c092248849b34481cc30ea4422cfc46aaf3e2e3258d
Opcode Fuzzy Hash: 782297ee0e29b4440ee9a59f83403ddad03d579ae9d5f217bb9cdbeb00f3241e
Instruction Fuzzy Hash: 0E21AD3290021AABCF12AF90DC46FEE7735BF18304F04446BF5156A1A2EBB59A28DB55

Function 0043209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004320AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004320C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0043214D

Strings

details, xrefs: 004320FB
SHELLDLL_DefView, xrefs: 004320CC
largeicons, xrefs: 004320E1
smallicons, xrefs: 00432115
list, xrefs: 0043212F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: dcbf5e85d706e853dfe61aa834416d71d2d05461eb0cb5a90b3591baed6f5ac0
Instruction ID: d7f6f0d9d898a7375692f054d80799b9d3982c1deac60ccd4b202e454a5b106c
Opcode Fuzzy Hash: dcbf5e85d706e853dfe61aa834416d71d2d05461eb0cb5a90b3591baed6f5ac0
Instruction Fuzzy Hash: FC110A7668870BB9FE022620DE06DB7379CDB08324F301167F704A91D1FAE96812561D

Function 0040CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0040CEB7
_free.LIBCMT ref: 0040CF22
_free.LIBCMT ref: 0040CF48
_free.LIBCMT ref: 0040CF71
_free.LIBCMT ref: 0040CFA9
_free.LIBCMT ref: 0040CFDA
_free.LIBCMT ref: 0040D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0040D09C
_free.LIBCMT ref: 0040D0B5

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9d901b7a0395f6e6dc18deb0f1b934e731ead8390105a6149824a6ca08448c54
Instruction ID: 26ddcf07643b7b30539e5a1df9ebed4ada54d7640e06f760db16c7488b030501
Opcode Fuzzy Hash: 9d901b7a0395f6e6dc18deb0f1b934e731ead8390105a6149824a6ca08448c54
Instruction Fuzzy Hash: 21614BB2A04201EFDB21AFB498C5A6E7BA5AF01314F14427FFD44B73C1D6399D058799

Function 003E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00426890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004268A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004268B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004268D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004268F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00426901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0042691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0042692D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 256e59993da5f3cd6f8840a2cf3ecd9dbc0e4581a5d4fdfd490d9ddc42dbc8e0
Instruction ID: 49065580e1d43d374c12542fba60ca673253f940d7671d1539f9d9a7f7328e36
Opcode Fuzzy Hash: 256e59993da5f3cd6f8840a2cf3ecd9dbc0e4581a5d4fdfd490d9ddc42dbc8e0
Instruction Fuzzy Hash: 9F51CEB0A00216EFDB21DF26CC91FAA7BB9FB44350F104629F956972E0DB70E980CB44

Function 0044C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044C182
GetLastError.KERNEL32 ref: 0044C195
SetEvent.KERNEL32(?), ref: 0044C1A9

Part of subcall function 0044C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044C272
Part of subcall function 0044C253: GetLastError.KERNEL32 ref: 0044C322
Part of subcall function 0044C253: SetEvent.KERNEL32(?), ref: 0044C336
Part of subcall function 0044C253: InternetCloseHandle.WININET(00000000), ref: 0044C341

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 0c08396237dd8ab43f73468db58087b67cd9f2157cd785d9d156563c9fd96ee8
Instruction ID: a24850e9ab1364d2a6d2ce841fe3ce2d5a04833581b3426f21be67f95ecfca89
Opcode Fuzzy Hash: 0c08396237dd8ab43f73468db58087b67cd9f2157cd785d9d156563c9fd96ee8
Instruction Fuzzy Hash: 9231C370901601AFEB608FB5DC84A77BBF9FF14300B08442FF94682210DBB5E8109FA9

Function 004325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00433A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00433A57
Part of subcall function 00433A3D: GetCurrentThreadId.KERNEL32 ref: 00433A5E
Part of subcall function 00433A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004325B3), ref: 00433A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004325BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004325DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004325DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004325E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00432601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00432605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0043260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00432623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00432627

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0a18ffd8794eb468b73dd5f961d74b4cf8073d94b6c707a7c444270f75367b3e
Instruction ID: ee6624bd87b60b385280c5a57a87649d6fc59d59fd146751cce9b4751e9f2a9c
Opcode Fuzzy Hash: 0a18ffd8794eb468b73dd5f961d74b4cf8073d94b6c707a7c444270f75367b3e
Instruction Fuzzy Hash: AC01D430390210BBFB107B69DCCAFA93F59DF4EB12F101016F358AE0E1C9E224448A6E

Function 00431803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00431449,?,?,00000000), ref: 0043180C
HeapAlloc.KERNEL32(00000000,?,00431449,?,?,00000000), ref: 00431813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00431449,?,?,00000000), ref: 00431828
GetCurrentProcess.KERNEL32(?,00000000,?,00431449,?,?,00000000), ref: 00431830
DuplicateHandle.KERNEL32(00000000,?,00431449,?,?,00000000), ref: 00431833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00431449,?,?,00000000), ref: 00431843
GetCurrentProcess.KERNEL32(00431449,00000000,?,00431449,?,?,00000000), ref: 0043184B
DuplicateHandle.KERNEL32(00000000,?,00431449,?,?,00000000), ref: 0043184E
CreateThread.KERNEL32(00000000,00000000,00431874,00000000,00000000,00000000), ref: 00431868

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c3be53b422b63304fbac49ab1d96b53d0481e188a92f8918fab4baeb10da668f
Instruction ID: 78ba1848974166fa298ab04f437289a0b92d1cd7e1ee74ba723e412c84613810
Opcode Fuzzy Hash: c3be53b422b63304fbac49ab1d96b53d0481e188a92f8918fab4baeb10da668f
Instruction Fuzzy Hash: C701AC75240344BFE610AB65DC89FA73B6CEB8AB11F004421FA45DB1A1D6B59C008F25

Function 0045A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0043D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0043D501
Part of subcall function 0043D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0043D50F
Part of subcall function 0043D4DC: CloseHandle.KERNEL32(00000000), ref: 0043D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0045A16D
GetLastError.KERNEL32 ref: 0045A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0045A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0045A268
GetLastError.KERNEL32(00000000), ref: 0045A273
CloseHandle.KERNEL32(00000000), ref: 0045A2C4

Strings

SeDebugPrivilege, xrefs: 0045A18F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b31d5015616d33718a00065e49863ce6b0f926576befefc6d06b963b116656a0
Instruction ID: 04009f627669dc687a093f8752f6b2e8d0547972d0fcaa5105298bf32e86fb6e
Opcode Fuzzy Hash: b31d5015616d33718a00065e49863ce6b0f926576befefc6d06b963b116656a0
Instruction Fuzzy Hash: 6261AD31204242AFD710DF18D495F26BBA1AF44318F14859EF8668F7A3C77AEC49CB96

Function 00463886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00463925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0046393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00463954
_wcslen.LIBCMT ref: 00463999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004639C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004639F4

Strings

SysListView32, xrefs: 004638F7

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: fae045b7d7e07be0c5cb1eeb9242bc46d66a1c1b2f5069cd15db697f9580eef5
Instruction ID: 46b55f53c5141a014a859529156b43b4871fc964c96f78c9e2f860ce602a9dfa
Opcode Fuzzy Hash: fae045b7d7e07be0c5cb1eeb9242bc46d66a1c1b2f5069cd15db697f9580eef5
Instruction Fuzzy Hash: 9A41E671A00219ABDF219F64CC45FEB7BA9EF08350F10012BF554E7291E7B99D84CB99

Function 0043BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0043BCFD
IsMenu.USER32(00000000), ref: 0043BD1D
CreatePopupMenu.USER32 ref: 0043BD53
GetMenuItemCount.USER32(018154F0), ref: 0043BDA4
InsertMenuItemW.USER32(018154F0,?,00000001,00000030), ref: 0043BDCC

Strings

2, xrefs: 0043BD37
0, xrefs: 0043BCA8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: d174b3d0f1af25f4393edf93b6db0c66618e603150e84d03e0671fae8eb2ba7f
Instruction ID: 9ccc884faf4e735fe9abde9c21f49992c47d9d5184df5ac5f4911ded351754db
Opcode Fuzzy Hash: d174b3d0f1af25f4393edf93b6db0c66618e603150e84d03e0671fae8eb2ba7f
Instruction Fuzzy Hash: E851D070A00205ABDB11CFA9D8C4BAEBBF5EF4D314F14512BE641D7390E7789941CB9A

Function 003F2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003F2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 003F2D53
_ValidateLocalCookies.LIBCMT ref: 003F2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 003F2E0C
_ValidateLocalCookies.LIBCMT ref: 003F2E61

Strings

csm, xrefs: 003F2DF6
&H?, xrefs: 003F2DFE, 003F2E07, 003F2E18

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H?$csm
API String ID: 1170836740-787596366
Opcode ID: 983b1655cac4e496f611fdfbec6dc06a9243ed68dd66b74540b19d44c38a315f
Instruction ID: 128075c21abb689bff6b88dff41b66e4f1faff68530919df32e6ebf743ab44f6
Opcode Fuzzy Hash: 983b1655cac4e496f611fdfbec6dc06a9243ed68dd66b74540b19d44c38a315f
Instruction Fuzzy Hash: DD419534A0020DEBCF11DF68C845ABFBBB5BF45354F158165FA24AB392D7359A05CB90

Function 0043C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0043C913

Strings

blank, xrefs: 0043C895
info, xrefs: 0043C8B4
warning, xrefs: 0043C8FC
stop, xrefs: 0043C8E4
question, xrefs: 0043C8CC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a8464f93e7e57c072b88fe3582dad435900af0f5ecc166bff25087cdcbad66ea
Instruction ID: fadec0bea00cd2b7b31b60e888b4c6442c573296816bff1687111aa59af3baaa
Opcode Fuzzy Hash: a8464f93e7e57c072b88fe3582dad435900af0f5ecc166bff25087cdcbad66ea
Instruction Fuzzy Hash: 16112E72689306BAAB056B549CC2EAF779CDF19315F21107BF500B9281E7A86F00536D

Function 0043ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0043ED2A
_wcslen.LIBCMT ref: 0043ED3B
_wcslen.LIBCMT ref: 0043ED79
_wcslen.LIBCMT ref: 0043EDAF
_wcslen.LIBCMT ref: 0043EDDF
_wcslen.LIBCMT ref: 0043EDEF
_wcslen.LIBCMT ref: 0043EE2B
_wcslen.LIBCMT ref: 0043EE5A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 18ed0dce806ef8012a3393bea9c70fecda4756d02b1e56381e176a355c7dc91c
Instruction ID: 8f8b1e7095074ffe1d648689a3d2b36256fa29d37276c833eb8dccd93629a2cd
Opcode Fuzzy Hash: 18ed0dce806ef8012a3393bea9c70fecda4756d02b1e56381e176a355c7dc91c
Instruction Fuzzy Hash: 1241D565D1111C75CB12EBF4888B9DFB3A8AF49700F408866F614E7162FB38E245C3E9

Function 003EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0042682C,00000004,00000000,00000000), ref: 003EF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0042682C,00000004,00000000,00000000), ref: 0042F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0042682C,00000004,00000000,00000000), ref: 0042F454

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b45f60fe9e185ca8604617b05c98cfc922ffd941cc5466cccb62c1cecfe6c727
Instruction ID: 9f3c6593201d9b56fc4d7aa9a30019e85d72ed110a401e0f3996f98f4625227a
Opcode Fuzzy Hash: b45f60fe9e185ca8604617b05c98cfc922ffd941cc5466cccb62c1cecfe6c727
Instruction Fuzzy Hash: F1418C302042E0BEC7369B2BD88877B7BA56B56310F96423EF0C7565E2D7F59480CB05

Function 00462D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00462D1B
GetDC.USER32(00000000), ref: 00462D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00462D2E
ReleaseDC.USER32(00000000,00000000), ref: 00462D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00462D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00462D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00465A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00462DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00462DE1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ae0bda9221c502606fdc2c0dcb96bfb2142731d90a69a97bf84c032760d297e6
Instruction ID: 8dc9faf05978900777ceb352c67623cfbe3b44ae0ff2650176330a728323cb4c
Opcode Fuzzy Hash: ae0bda9221c502606fdc2c0dcb96bfb2142731d90a69a97bf84c032760d297e6
Instruction Fuzzy Hash: 33319F72201614BFEB114F50CC8AFFB3BADEF09715F044066FE489A291E6B59C41CBA9

Function 00435622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00435637
_memcmp.LIBVCRUNTIME ref: 00435659
_memcmp.LIBVCRUNTIME ref: 00435671
_memcmp.LIBVCRUNTIME ref: 00435684
_memcmp.LIBVCRUNTIME ref: 0043569E
_memcmp.LIBVCRUNTIME ref: 004356B1
_memcmp.LIBVCRUNTIME ref: 004356C9
_memcmp.LIBVCRUNTIME ref: 004356E4

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: cb1f571010f31bb0b4017e8e617cf057d7fe2365d5b77cd185bdeb050a23f8ab
Instruction ID: 0e73c085b9002029009b9ea10b79dc5763e8a1084e1bab75c3b178643b876f2a
Opcode Fuzzy Hash: cb1f571010f31bb0b4017e8e617cf057d7fe2365d5b77cd185bdeb050a23f8ab
Instruction Fuzzy Hash: 5721A7B5644A09B7E2155521AD83FBB335DAF28384FA41023FE099E681F728ED15C1EE

Function 00454FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00455007
NULL Pointer assignment, xrefs: 0045502E, 00455383

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bb1986037ab19cf0e7b530ed579bf9d3664a9cc0d3273178b64809280322aa9d
Instruction ID: a65680f0f79dccf732425700416bbdca5b311ce8fb57ff2c5fa3dfc8b0ad65d1
Opcode Fuzzy Hash: bb1986037ab19cf0e7b530ed579bf9d3664a9cc0d3273178b64809280322aa9d
Instruction Fuzzy Hash: 5BD1BF71A0060AAFDF10CF98C891BBEB7B5BF48354F14806AED15AB282E774DD49CB54

Function 00411522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004115CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00411651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004117FB,?,004117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004116E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004116FB

Part of subcall function 00403820: RtlAllocateHeap.NTDLL(00000000,?,004A1444,?,003EFDF5,?,?,003DA976,00000010,004A1440,003D13FC,?,003D13C6,?,003D1129), ref: 00403852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00411777
__freea.LIBCMT ref: 004117A2
__freea.LIBCMT ref: 004117AE

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 84b10e18d3b67898b39c0d9136bd1752f1b802fd348e2bc5b2d9383a9484057f
Instruction ID: b6488efe76346e5c242eb2c89050a8e733e3227ddadfda1ea130007a3aefd516
Opcode Fuzzy Hash: 84b10e18d3b67898b39c0d9136bd1752f1b802fd348e2bc5b2d9383a9484057f
Instruction Fuzzy Hash: 0791C671E00215ABDB209F64C881EEF7BB69F49314F18456BEA15E73A1D739CC80CB69

Function 00454523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00454648
VariantInit.OLEAUT32(?), ref: 00454749
VariantClear.OLEAUT32(?), ref: 00454753
VariantClear.OLEAUT32(?), ref: 004547B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004545D8, 00454706, 004547BE
Incorrect Object type in FOR..IN loop, xrefs: 0045472C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9b4a32f5cdf84ffbc02ddf789fa5e58060e84d8abfd9bc2df5e5e000d216eada
Instruction ID: 7aa090ddb777d36f6cdff8aba83bebafcf234ea60147ce990f8ac7dd8c07d6b6
Opcode Fuzzy Hash: 9b4a32f5cdf84ffbc02ddf789fa5e58060e84d8abfd9bc2df5e5e000d216eada
Instruction Fuzzy Hash: 6F91C530A00215ABDF20CF95C844FAF7BB8EF85715F10851AF905AF281D7789985CFA4

Function 00441187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0044125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00441284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004412A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004412D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0044135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004413C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00441430

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: c1bada2ca692d951c74511872183ee3bacdc13f6f8ca1f8f04c1e72ee815487e
Instruction ID: e0ca9a1c37726a5d2b4f1fe1584e42b778c69354ca3ceb6b5ce355607b532ad5
Opcode Fuzzy Hash: c1bada2ca692d951c74511872183ee3bacdc13f6f8ca1f8f04c1e72ee815487e
Instruction Fuzzy Hash: 8A91F475A002189FFB01DF94C885BBEB7B5FF44315F14406BE940EB2A1D7B8A981CB99

Function 003E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 98e52a94006f1e3094bcf6f44cdf8480d4689c861029ab79a766bae3384a94c3
Instruction ID: 8d59df180220d7cb0f54458a708e2342714300cf6bfec2943d6764ca298f9fac
Opcode Fuzzy Hash: 98e52a94006f1e3094bcf6f44cdf8480d4689c861029ab79a766bae3384a94c3
Instruction Fuzzy Hash: B8912A71D00229EFCB11CFAACC84AEEBBB8FF49320F144556E515B7291D778A941CB64

Function 00453947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045396B
CharUpperBuffW.USER32(?,?), ref: 00453A7A
_wcslen.LIBCMT ref: 00453A8A
VariantClear.OLEAUT32(?), ref: 00453C1F

Part of subcall function 00440CDF: VariantInit.OLEAUT32(00000000), ref: 00440D1F
Part of subcall function 00440CDF: VariantCopy.OLEAUT32(?,?), ref: 00440D28
Part of subcall function 00440CDF: VariantClear.OLEAUT32(?), ref: 00440D34

Strings

Incorrect Parameter format, xrefs: 004539A6, 00453BA1
AUTOIT.ERROR, xrefs: 00453A80, 00453A85

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 8d4f55c992ec18ed754f10e8178caf3ac500847b12a2155310aa405517961b58
Instruction ID: 3d03b5929cfa943719e5d1df420db4e10d58f6cdea812b4fe71ecfe95f2e4d0d
Opcode Fuzzy Hash: 8d4f55c992ec18ed754f10e8178caf3ac500847b12a2155310aa405517961b58
Instruction Fuzzy Hash: 27919B756083019FCB00DF24C48096AB7E5FF88756F14896EF8898B352DB35EE09CB86

Function 00454BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0043000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?,?,?,0043035E), ref: 0043002B
Part of subcall function 0043000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?,?), ref: 00430046
Part of subcall function 0043000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?,?), ref: 00430054
Part of subcall function 0043000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?), ref: 00430064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00454C51
_wcslen.LIBCMT ref: 00454D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00454DCF
CoTaskMemFree.OLE32(?), ref: 00454DDA

Strings

NULL Pointer assignment, xrefs: 00454E23, 00454E52

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 695114690880035f5df9697162e11e22b13f768e4c5b4b6f89ff41aa91a70b42
Instruction ID: b30f9fb1a1d3001ff6a8bf734450d1a501a2a0dde68e217cf568f2d419b3be32
Opcode Fuzzy Hash: 695114690880035f5df9697162e11e22b13f768e4c5b4b6f89ff41aa91a70b42
Instruction Fuzzy Hash: 0F913871D0021DAFDF15DFA4D891AEEB7B8BF48304F10816AE915AB241EB349E49CF64

Function 004620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00462183
GetMenuItemCount.USER32(00000000), ref: 004621B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004621DD
_wcslen.LIBCMT ref: 00462213
GetMenuItemID.USER32(?,?), ref: 0046224D
GetSubMenu.USER32(?,?), ref: 0046225B

Part of subcall function 00433A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00433A57
Part of subcall function 00433A3D: GetCurrentThreadId.KERNEL32 ref: 00433A5E
Part of subcall function 00433A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004325B3), ref: 00433A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004622E3

Part of subcall function 0043E97B: Sleep.KERNEL32 ref: 0043E9F3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8b165ad1221cc5070497ad03b78fa607093b624626cafb98fcc54ae2ff327d34
Instruction ID: db1fbe622cfb97bf860d2e300a890471f0255cbd3aaa64f869101ad0fec85a72
Opcode Fuzzy Hash: 8b165ad1221cc5070497ad03b78fa607093b624626cafb98fcc54ae2ff327d34
Instruction Fuzzy Hash: CD71B175E00615AFCB01DF64C981AAEB7F5FF48310F10849AE816EB341E7B8ED418B96

Function 0043AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043AEF9
GetKeyboardState.USER32(?), ref: 0043AF0E
SetKeyboardState.USER32(?), ref: 0043AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0043AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0043AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0043AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0043B020

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 855cbb624e776981d91bd425bbe2044af5333def692bd1727096a8efaf8b0526
Instruction ID: c4d07dfc04ff3ad60304a1fee93336749e5f5a14133dfe4be9f99eaa03df9921
Opcode Fuzzy Hash: 855cbb624e776981d91bd425bbe2044af5333def692bd1727096a8efaf8b0526
Instruction Fuzzy Hash: 835115A06443D53DFB364234CC45BBB7EE99B0A304F08958AE2D9555C2C3DCACD4D79A

Function 0043ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0043AD19
GetKeyboardState.USER32(?), ref: 0043AD2E
SetKeyboardState.USER32(?), ref: 0043AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0043ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0043ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0043AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0043AE38

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a991564d15cc1e47998c6f264bb79abe9061d1b1f7e3f85ad2642517f8c1fd23
Instruction ID: 090657b401da522163c94540e1cc21aa3f418e3d0b4bdf8cd175bd131c9cbdf0
Opcode Fuzzy Hash: a991564d15cc1e47998c6f264bb79abe9061d1b1f7e3f85ad2642517f8c1fd23
Instruction Fuzzy Hash: 4C5126A05847D13DFB328334CC86B7B7E995B0A304F08958AE1D5469C2D39CECA8D75A

Function 0040542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00413CD6,?,?,?,?,?,?,?,?,00405BA3,?,?,00413CD6,?,?), ref: 00405470
__fassign.LIBCMT ref: 004054EB
__fassign.LIBCMT ref: 00405506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00413CD6,00000005,00000000,00000000), ref: 0040552C
WriteFile.KERNEL32(?,00413CD6,00000000,00405BA3,00000000,?,?,?,?,?,?,?,?,?,00405BA3,?), ref: 0040554B
WriteFile.KERNEL32(?,?,00000001,00405BA3,00000000,?,?,?,?,?,?,?,?,?,00405BA3,?), ref: 00405584

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f3c95d627b2f6576109f341d10205dc3c26f0c3061d4da8b4de6103c5958f77a
Instruction ID: 02e7a055b8013c7f66eaa07158d5e98e34224c40f070cb7e87d83db2227543c1
Opcode Fuzzy Hash: f3c95d627b2f6576109f341d10205dc3c26f0c3061d4da8b4de6103c5958f77a
Instruction Fuzzy Hash: 0F51A0B0910609AFDB10CFA8DC85AEEBBF9EB09300F14412AE555F7291E6749A41CF69

Function 004510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0045307A
Part of subcall function 0045304E: _wcslen.LIBCMT ref: 0045309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00451112
WSAGetLastError.WSOCK32 ref: 00451121
WSAGetLastError.WSOCK32 ref: 004511C9
closesocket.WSOCK32(00000000), ref: 004511F9

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 577bc4fc25fdf6fbb2dfb01cb05ebe366090f28e977afd716b4573b922d13a57
Instruction ID: 0d79b812a5288ab02a705edf6bca0a8181e91e93541731179f1186e9f1aa6e85
Opcode Fuzzy Hash: 577bc4fc25fdf6fbb2dfb01cb05ebe366090f28e977afd716b4573b922d13a57
Instruction Fuzzy Hash: 9C412931200604AFDB109F24D884BAAB7E9FF49316F14805AFD459B392D778ED45CBE5

Function 0043CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0043DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0043CF22,?), ref: 0043DDFD

Part of subcall function 0043DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0043CF22,?), ref: 0043DE16

lstrcmpiW.KERNEL32(?,?), ref: 0043CF45
MoveFileW.KERNEL32(?,?), ref: 0043CF7F
_wcslen.LIBCMT ref: 0043D005
_wcslen.LIBCMT ref: 0043D01B
SHFileOperationW.SHELL32(?), ref: 0043D061

Strings

\*.*, xrefs: 0043CFF3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 750aebce4f0628691d361bafeb72104aefb81a3fc9d41cb9d0702045e41ea849
Instruction ID: a1e08bd8b2a385c1f7dca5b69331f656be62ae41fc674e3e5033498923472435
Opcode Fuzzy Hash: 750aebce4f0628691d361bafeb72104aefb81a3fc9d41cb9d0702045e41ea849
Instruction Fuzzy Hash: B2415575D452185FDF12EBA4D981AEEB7B8AF0C344F1010EBE605EB241EB38A685CF54

Function 00462DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00462E1C
GetWindowLongW.USER32(?,000000F0), ref: 00462E4F
GetWindowLongW.USER32(?,000000F0), ref: 00462E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00462EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00462EE0
GetWindowLongW.USER32(?,000000F0), ref: 00462EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00462F0B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 73d4435cadb4b2bf3dbd1c55f24f1d7f7cb8eb62aaefa327ea3f7995842dfd78
Instruction ID: 8cd0b6197858b685600fb203791e0d1084e4ea2b4b751d6ceb9ded4271317959
Opcode Fuzzy Hash: 73d4435cadb4b2bf3dbd1c55f24f1d7f7cb8eb62aaefa327ea3f7995842dfd78
Instruction Fuzzy Hash: 6E311330744650AFDB20CF58DD84FA63BE4EB9A710F140176F9508F2B1EBB6A840DB0A

Function 00437726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00437769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0043778F
SysAllocString.OLEAUT32(00000000), ref: 00437792
SysAllocString.OLEAUT32(?), ref: 004377B0
SysFreeString.OLEAUT32(?), ref: 004377B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004377DE
SysAllocString.OLEAUT32(?), ref: 004377EC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e4e9f2b637becdf46fdba6f6d8664126103cf841a2e63983cbf097092526391a
Instruction ID: 8a3fea65fdf448ffd66677d60d3b74b0a18ebc2c3658c79ede365068600b6c9a
Opcode Fuzzy Hash: e4e9f2b637becdf46fdba6f6d8664126103cf841a2e63983cbf097092526391a
Instruction Fuzzy Hash: 1021B776608219AFDB10DFA9CC84CBB77ACEB09364B008026F944DB250D774EC41CB69

Function 004377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00437842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00437868
SysAllocString.OLEAUT32(00000000), ref: 0043786B
SysAllocString.OLEAUT32 ref: 0043788C
SysFreeString.OLEAUT32 ref: 00437895
StringFromGUID2.OLE32(?,?,00000028), ref: 004378AF
SysAllocString.OLEAUT32(?), ref: 004378BD

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fdbf1cd69eeb0f640af9bb70995b985b42354e3af3809398a2b82d2003f73aaf
Instruction ID: c475c73dae6e673d08b4acfa920e1cf394cf38273f925a1dd201e0de82724fe8
Opcode Fuzzy Hash: fdbf1cd69eeb0f640af9bb70995b985b42354e3af3809398a2b82d2003f73aaf
Instruction Fuzzy Hash: 7621C971604104AFDB24AFA9CC88DBB77ECEB0D360B108126F554CB2A1DA74DC41CB68

Function 004404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004404F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0044052E

Strings

nul, xrefs: 00440567

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 78a62e8baabc25d7ec177407c9c8677af7e84fc9bed8e815d36f88774ca44e01
Instruction ID: 46e688e2c82a3f0223f414551abe0022ad11d1d57ad20b5340f4f1e2a9df8cdc
Opcode Fuzzy Hash: 78a62e8baabc25d7ec177407c9c8677af7e84fc9bed8e815d36f88774ca44e01
Instruction Fuzzy Hash: 80216575500305ABEF209F29DC44A5A77A4EF45724F204A2AFDA1D72D0E7749960CF28

Function 004405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004405C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00440601

Strings

nul, xrefs: 00440639

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3bd80c578409465f857941f154d80e7c68efa39aa3accaa71f659e617791956c
Instruction ID: 2e5ed9066122bac8a73f375e92e77e69764e46d6b8cc64b58dad424ea889e803
Opcode Fuzzy Hash: 3bd80c578409465f857941f154d80e7c68efa39aa3accaa71f659e617791956c
Instruction Fuzzy Hash: AE21A6355003059BEB209F698C44A5B77E4AF85720F200A1AFEA2D73D0D7B49870CB19

Function 004640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003D604C
Part of subcall function 003D600E: GetStockObject.GDI32(00000011), ref: 003D6060
Part of subcall function 003D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003D606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00464112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0046411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0046412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00464139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00464145

Strings

Msctls_Progress32, xrefs: 004640E3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d06ec3c6efcdfef72189e1967593c7af81597ec18fbcdb1f6cba9bb6f99be4c0
Instruction ID: cc0c4c12e174ef8dd0180e9a9487a869f4ff1ce635ff0ffde2b257f008c4afe9
Opcode Fuzzy Hash: d06ec3c6efcdfef72189e1967593c7af81597ec18fbcdb1f6cba9bb6f99be4c0
Instruction Fuzzy Hash: 0B11E2B2140219BEEF119F64CC86EE77F5DEF09398F004121FB18A2150C7769C21DBA8

Function 0040D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040D7A3: _free.LIBCMT ref: 0040D7CC

_free.LIBCMT ref: 0040D82D

Part of subcall function 004029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000), ref: 004029DE
Part of subcall function 004029C8: GetLastError.KERNEL32(00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000,00000000), ref: 004029F0

_free.LIBCMT ref: 0040D838
_free.LIBCMT ref: 0040D843
_free.LIBCMT ref: 0040D897
_free.LIBCMT ref: 0040D8A2
_free.LIBCMT ref: 0040D8AD
_free.LIBCMT ref: 0040D8B8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 751315c7350735b4cea665d3f058acd1c80905db8c67b2d74ea2560ca4858f8a
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 40112CB1A40B04AAD521BFF6CC4AFCB7B9C6F40704F40483AB299B60D2DA7DA5094654

Function 0043DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0043DA74
LoadStringW.USER32(00000000), ref: 0043DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0043DA91
LoadStringW.USER32(00000000), ref: 0043DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0043DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0043DAB9

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 969b3f6476d6030c9abe1e636f5b0170c313fad5a319d7adf611153b4f00a6e4
Instruction ID: e6eea8f56372e445647bc13b23e0caaf8603a50355d7845f0d79c1388d156723
Opcode Fuzzy Hash: 969b3f6476d6030c9abe1e636f5b0170c313fad5a319d7adf611153b4f00a6e4
Instruction Fuzzy Hash: B601FFF69002087BEB11ABA49DC9EF7766CE708705F4444A6F746E2041E6B49E844F79

Function 0044096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0180E340,0180E340), ref: 0044097B
EnterCriticalSection.KERNEL32(0180E320,00000000), ref: 0044098D
TerminateThread.KERNEL32(?,000001F6), ref: 0044099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004409A9
CloseHandle.KERNEL32(?), ref: 004409B8
InterlockedExchange.KERNEL32(0180E340,000001F6), ref: 004409C8
LeaveCriticalSection.KERNEL32(0180E320), ref: 004409CF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fd78caf8b99c184b7807184a627744a7228cd8f5098efc14f6eed29e631eed4c
Instruction ID: e9b41f2a362b9c80f650656c082b4dacc564aebdbe6bccf516b55c749ab33748
Opcode Fuzzy Hash: fd78caf8b99c184b7807184a627744a7228cd8f5098efc14f6eed29e631eed4c
Instruction Fuzzy Hash: 20F03171542502BBE7415FA4EEDCBE67B35FF01702F401026F641508A0D7B59475CFA9

Function 00451C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00451DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00451DE1
WSAGetLastError.WSOCK32 ref: 00451DF2
htons.WSOCK32(?,?,?,?,?), ref: 00451EDB
inet_ntoa.WSOCK32(?), ref: 00451E8C

Part of subcall function 004339E8: _strlen.LIBCMT ref: 004339F2

Part of subcall function 00453224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0044EC0C), ref: 00453240

_strlen.LIBCMT ref: 00451F35

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6854a42b9aa2a49dad2e63fe7218dc37dcb5fb6b42cb7fcc8956c7dc94ff9a9c
Instruction ID: 27e9b4dcb635fc6501f861eb41a64ec3a5344f9954b30f72c17fe58c5f073bc1
Opcode Fuzzy Hash: 6854a42b9aa2a49dad2e63fe7218dc37dcb5fb6b42cb7fcc8956c7dc94ff9a9c
Instruction Fuzzy Hash: 79B1AC32204240AFC325DF24D885F2A77A5AF84318F54894EF8565F3E2DB75ED4ACB92

Function 004001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004000BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004000D6
__allrem.LIBCMT ref: 004000ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040010B
__allrem.LIBCMT ref: 00400122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00400140

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 437d44a29620304b5369807899feefd58324f8f49bd85f17aec890f0150cd581
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 8581F571A00B069FE7219E39CC41B6B73A9AF41724F24463FF951EA2C1E779D9408798

Function 004061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003F82D9,003F82D9,?,?,?,0040644F,00000001,00000001,8BE85006), ref: 00406258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0040644F,00000001,00000001,8BE85006,?,?,?), ref: 004062DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004063D8
__freea.LIBCMT ref: 004063E5

Part of subcall function 00403820: RtlAllocateHeap.NTDLL(00000000,?,004A1444,?,003EFDF5,?,?,003DA976,00000010,004A1440,003D13FC,?,003D13C6,?,003D1129), ref: 00403852

__freea.LIBCMT ref: 004063EE
__freea.LIBCMT ref: 00406413

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 6ee8b9c394f312ac26d999ed2526ceec0e2efcd35431361eeca12e46f5ccd9ed
Instruction ID: 424f040401a014316752c9c51b031ce35f9e8cfd5de9fb5d81bcb51fa5432370
Opcode Fuzzy Hash: 6ee8b9c394f312ac26d999ed2526ceec0e2efcd35431361eeca12e46f5ccd9ed
Instruction Fuzzy Hash: 6751C772600216ABDB259F64CC81EAF77A9EF44714F16467EFC06E61C0DB38DC60C6A8

Function 0045BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

Part of subcall function 0045C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0045B6AE,?,?), ref: 0045C9B5
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045C9F1
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045CA68
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0045BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045BD25
RegCloseKey.ADVAPI32(00000000), ref: 0045BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0045BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0045BDF3
RegCloseKey.ADVAPI32(?), ref: 0045BDFF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 68bf4b4802bb566ee976200b03a5abab2da98b2b28ae1bb65bf517122d4388c8
Instruction ID: cde5cd34ed35bf4ed3b2797c738339ddcc8f67703af003a304ce58bb9c2d6d56
Opcode Fuzzy Hash: 68bf4b4802bb566ee976200b03a5abab2da98b2b28ae1bb65bf517122d4388c8
Instruction Fuzzy Hash: 0B819F31208241AFD715DF24C891E2ABBF5FF84308F14856EF8954B2A2DB35ED49CB96

Function 0042F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0042F7B9
SysAllocString.OLEAUT32(00000001), ref: 0042F860
VariantCopy.OLEAUT32(0042FA64,00000000), ref: 0042F889
VariantClear.OLEAUT32(0042FA64), ref: 0042F8AD
VariantCopy.OLEAUT32(0042FA64,00000000), ref: 0042F8B1
VariantClear.OLEAUT32(?), ref: 0042F8BB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: d8b7a5e6e140b31b26041189c7388b49c345928fa6a2241ddc60fe2de9763102
Instruction ID: 3593f04c53409b9c854fe8bf4073d6fd69156da7896ab909e03dbd609fe85403
Opcode Fuzzy Hash: d8b7a5e6e140b31b26041189c7388b49c345928fa6a2241ddc60fe2de9763102
Instruction Fuzzy Hash: 4F519375700320EACF10AB66E895B29B3B4AF45314BE4447BE805DF295DB788C85C75B

Function 0044910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 003D7620: _wcslen.LIBCMT ref: 003D7625

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004494E5
_wcslen.LIBCMT ref: 00449506
_wcslen.LIBCMT ref: 0044952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00449585

Strings

X, xrefs: 00449412

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 31314e1846d5e6d4b7190f6d1c05ba8cceed79924dd8bdbc3b203ec51c4d097e
Instruction ID: 4d9ffb4238b0c06d535a39ec2edd0d0556f972d744cbd458f16918174b98a559
Opcode Fuzzy Hash: 31314e1846d5e6d4b7190f6d1c05ba8cceed79924dd8bdbc3b203ec51c4d097e
Instruction Fuzzy Hash: D3E1B1326083409FD725DF24D881A6BB7E0BF85314F14896EF8899B3A2DB35DD05CB96

Function 003E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 003E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003E9BB2

BeginPaint.USER32(?,?,?), ref: 003E9241
GetWindowRect.USER32(?,?), ref: 003E92A5
ScreenToClient.USER32(?,?), ref: 003E92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003E92D3
EndPaint.USER32(?,?,?,?,?), ref: 003E9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004271EA

Part of subcall function 003E9339: BeginPath.GDI32(00000000), ref: 003E9357

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8e358ec5b386682e1edd2a15aa873b347074be2a31d65cf863cf7f221b915761
Instruction ID: 545d839bc582b352e22f8901d1136715b7809cb5247ca7b518b658bd8ba65880
Opcode Fuzzy Hash: 8e358ec5b386682e1edd2a15aa873b347074be2a31d65cf863cf7f221b915761
Instruction Fuzzy Hash: 3141B070204260AFD712DF25DC84FBB7BA8EF5A320F14062AF9A4872F1D7719845DB66

Function 004407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0044080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00440847
EnterCriticalSection.KERNEL32(?), ref: 00440863
LeaveCriticalSection.KERNEL32(?), ref: 004408DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004408F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00440921

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8c8531655a680954fa6975f40c6060ab7ea8455a33975033c7aa49d086af8afa
Instruction ID: 99812bc617f52eacba7a3405d9d278bd42188eec69522959ff013db211b7a7f4
Opcode Fuzzy Hash: 8c8531655a680954fa6975f40c6060ab7ea8455a33975033c7aa49d086af8afa
Instruction Fuzzy Hash: 80415A71900205EFEF15AF55DC85AAAB778FF44300B1440B9EE009E296DB74EE64DBA8

Function 004681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0042F3AB,00000000,?,?,00000000,?,0042682C,00000004,00000000,00000000), ref: 0046824C
EnableWindow.USER32(?,00000000), ref: 00468272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004682D1
ShowWindow.USER32(?,00000004), ref: 004682E5
EnableWindow.USER32(?,00000001), ref: 0046830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0046832F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e1ba7afce436d0520681acf1d364d07839ba0688e9caa1f5ff76c31c8b9aed60
Instruction ID: 2570893e15ad584e8473bdb51b574f455a96a62308f7421478b7cdc8ae9a9f89
Opcode Fuzzy Hash: e1ba7afce436d0520681acf1d364d07839ba0688e9caa1f5ff76c31c8b9aed60
Instruction Fuzzy Hash: 7D41B670601644AFDB11CF15C8A5BE67BE0BB06714F1843BEE9484F372DB76A841CB5A

Function 00434C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00434C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00434CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00434CEA
_wcslen.LIBCMT ref: 00434D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00434D10
_wcsstr.LIBVCRUNTIME ref: 00434D1A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: fb2f2c7e93dc725ba4814ac0666777e83b88029d2d938a1cba27b0150416e072
Instruction ID: e22cb697b8ea785e30c2b7fc07857a09dc2fe1801d8f1cd8c56d67818c152e4e
Opcode Fuzzy Hash: fb2f2c7e93dc725ba4814ac0666777e83b88029d2d938a1cba27b0150416e072
Instruction Fuzzy Hash: 74213B31204210BBEB165B36EC49EBF7B9CDF89750F10903AF805CE291EEA5EC0186A5

Function 0044581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 003D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003D3A97,?,?,003D2E7F,?,?,?,00000000), ref: 003D3AC2

_wcslen.LIBCMT ref: 0044587B
CoInitialize.OLE32(00000000), ref: 00445995
CoCreateInstance.OLE32(0046FCF8,00000000,00000001,0046FB68,?), ref: 004459AE
CoUninitialize.OLE32 ref: 004459CC

Strings

.lnk, xrefs: 00445876, 004458C1, 00445985

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3381bb486e800c2925ff0dcea9e46b4fc9d746edf3a1f48107d79141f06d7515
Instruction ID: a5bd0c9138d42c128183793588d2885ced2477bf117fa1bb047be8074fbe503a
Opcode Fuzzy Hash: 3381bb486e800c2925ff0dcea9e46b4fc9d746edf3a1f48107d79141f06d7515
Instruction Fuzzy Hash: EDD163716087019FDB14DF24D480A2ABBE2FF89710F14895EF8899B362DB35EC05CB96

Function 0043175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00430FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00430FCA
Part of subcall function 00430FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00430FD6
Part of subcall function 00430FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00430FE5
Part of subcall function 00430FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00430FEC
Part of subcall function 00430FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00431002

GetLengthSid.ADVAPI32(?,00000000,00431335), ref: 004317AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004317BA
HeapAlloc.KERNEL32(00000000), ref: 004317C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004317DA
GetProcessHeap.KERNEL32(00000000,00000000,00431335), ref: 004317EE
HeapFree.KERNEL32(00000000), ref: 004317F5

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 14729f36bbb1960cfa4b304bd739a1223d9f94ed3a6fe2f430eb2db712247cbf
Instruction ID: ab06d7017d219f3ec98341e105007fe34f685928a7f974c5dcd74113e9328c4f
Opcode Fuzzy Hash: 14729f36bbb1960cfa4b304bd739a1223d9f94ed3a6fe2f430eb2db712247cbf
Instruction Fuzzy Hash: 11118131500205FFDB209FA4CC89BBFBBA9EB4A355F14512AF48197220D7799944CB78

Function 004314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004314FF
OpenProcessToken.ADVAPI32(00000000), ref: 00431506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00431515
CloseHandle.KERNEL32(00000004), ref: 00431520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0043154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00431563

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: db6ac4e33f8546965480233cd6921eee75fb48ff16507d3fffc7558444edc450
Instruction ID: 2cd95bfb145e3f34d4462b50ecad0e2e7c61ac0cee53a3025e17dd1ffc3bba31
Opcode Fuzzy Hash: db6ac4e33f8546965480233cd6921eee75fb48ff16507d3fffc7558444edc450
Instruction Fuzzy Hash: F1115C72600209ABDF118F94DD89BEE7BA9EF48744F044026FA05A2160D3B58E61DB65

Function 003F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003F3379,003F2FE5), ref: 003F3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003F339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003F33B7
SetLastError.KERNEL32(00000000,?,003F3379,003F2FE5), ref: 003F3409

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: da9cbf1c8474608029777414caccadee4daccb1789c6d6806a89c90d0f4b6ce2
Instruction ID: 4e87b1f01fc672afe42e1be9c6277db827b1be5ba846ed2ca493bb8c88e5e0ee
Opcode Fuzzy Hash: da9cbf1c8474608029777414caccadee4daccb1789c6d6806a89c90d0f4b6ce2
Instruction Fuzzy Hash: E901D433709319BEAA2727B57CC5A772A94EB15379B20023BF710852F0EF614D115558

Function 00402D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00405686,00413CD6,?,00000000,?,00405B6A,?,?,?,?,?,003FE6D1,?,00498A48), ref: 00402D78
_free.LIBCMT ref: 00402DAB
_free.LIBCMT ref: 00402DD3
SetLastError.KERNEL32(00000000,?,?,?,?,003FE6D1,?,00498A48,00000010,003D4F4A,?,?,00000000,00413CD6), ref: 00402DE0
SetLastError.KERNEL32(00000000,?,?,?,?,003FE6D1,?,00498A48,00000010,003D4F4A,?,?,00000000,00413CD6), ref: 00402DEC
_abort.LIBCMT ref: 00402DF2

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4d09019edbf8360b79e0dec019731459b46d42929bf21511980676d7fdc75138
Instruction ID: cd12630ff3541f7af3401cadfee0271efc1cd49129096482f06650d67d554b6d
Opcode Fuzzy Hash: 4d09019edbf8360b79e0dec019731459b46d42929bf21511980676d7fdc75138
Instruction Fuzzy Hash: 75F0F93254450027C61237366E0EE5B25596FC2769B31043FF824B22D2EEFC8C01416D

Function 00468A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 003E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003E9693
Part of subcall function 003E9639: SelectObject.GDI32(?,00000000), ref: 003E96A2
Part of subcall function 003E9639: BeginPath.GDI32(?), ref: 003E96B9
Part of subcall function 003E9639: SelectObject.GDI32(?,00000000), ref: 003E96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00468A4E
LineTo.GDI32(?,00000003,00000000), ref: 00468A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00468A70
LineTo.GDI32(?,00000000,00000003), ref: 00468A80
EndPath.GDI32(?), ref: 00468A90
StrokePath.GDI32(?), ref: 00468AA0

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a238d75774d5abce01fcef2ab19ab3332b61b7c445d1a0e82d04e2e2230f9588
Instruction ID: 411e54682d81abfed8679c12f727e1131cbd2985361a78c8223bfa7aaa5d28f2
Opcode Fuzzy Hash: a238d75774d5abce01fcef2ab19ab3332b61b7c445d1a0e82d04e2e2230f9588
Instruction Fuzzy Hash: C8110976000108FFDF129FD4DC88EAA7F6CEB08390F008022FA599A1A1D7719D55DFA5

Function 004351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00435218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00435229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00435230
ReleaseDC.USER32(00000000,00000000), ref: 00435238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0043524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00435261

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e7999f144f28eaf81d58d1c9f7393d144c8abd6bb6195af4b87677d19c12eb1f
Instruction ID: 6305d08f7fae8855b852fcf4dbe5301986a56f41a7710abdbe93d63b0e4ec878
Opcode Fuzzy Hash: e7999f144f28eaf81d58d1c9f7393d144c8abd6bb6195af4b87677d19c12eb1f
Instruction Fuzzy Hash: 67018475A00714BBEB105BA59C49A5FBF78EB48351F044076FA04A7280D6B09800CFA5

Function 003D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003D1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 003D1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003D1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003D1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 003D1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 003D1C22

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e5081ccfc1336929b0ebd728364a5bb3ff7438f6e05d507e9323abaa7c757d59
Instruction ID: 3113eea3e47084f93082cfa3beac5884012a085e3f6493a802c2fd2af99b0540
Opcode Fuzzy Hash: e5081ccfc1336929b0ebd728364a5bb3ff7438f6e05d507e9323abaa7c757d59
Instruction Fuzzy Hash: 2C016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411BD15C47941C7F5A864CBE5

Function 0043EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0043EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0043EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0043EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0043EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0043EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0043EB75

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 60e7a3de7a3a61883a9c0316681f56900a51331884ea8b32d4fed9e096fa1a28
Instruction ID: 8a7b2775ac85a4e2b520d02fc27338ddc12be9700247a24114a7da850776a1e4
Opcode Fuzzy Hash: 60e7a3de7a3a61883a9c0316681f56900a51331884ea8b32d4fed9e096fa1a28
Instruction Fuzzy Hash: 17F01D72241158BBE6216752DC4DEFB7A7CEFCAB11F000169F642D1191A6E45A018ABA

Function 00427439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00427452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00427469
GetWindowDC.USER32(?), ref: 00427475
GetPixel.GDI32(00000000,?,?), ref: 00427484
ReleaseDC.USER32(?,00000000), ref: 00427496
GetSysColor.USER32(00000005), ref: 004274B0

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5088690374e893b475b107c7c543a413e3be18b346e519eaa4f9fcebfe39e50d
Instruction ID: 9aee69b3635dfa8cbe0b672dbaa308a1fcef8732a38d9e93c126710a4b8c5be8
Opcode Fuzzy Hash: 5088690374e893b475b107c7c543a413e3be18b346e519eaa4f9fcebfe39e50d
Instruction Fuzzy Hash: E0018B31500225FFEB116FA4EC48BBA7BB5FB04311F504171F966A21A0DB711E41AB5A

Function 00431874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0043187F
UnloadUserProfile.USERENV(?,?), ref: 0043188B
CloseHandle.KERNEL32(?), ref: 00431894
CloseHandle.KERNEL32(?), ref: 0043189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004318A5
HeapFree.KERNEL32(00000000), ref: 004318AC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8332384f8f2f5dffa6b82a432e3b743747836fa2c74e866499a629b72df71eb0
Instruction ID: b8213d5de05eff918a14e84ebfe3675b8808bd7153889fa8d109ef1ca58aae9f
Opcode Fuzzy Hash: 8332384f8f2f5dffa6b82a432e3b743747836fa2c74e866499a629b72df71eb0
Instruction Fuzzy Hash: 8EE01236104101BFDB016FA2ED4CD55BF39FF4A7227108231F26581170DBB25460DF65

Function 003DBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003DBEB3

Strings

D%J, xrefs: 003DBE9A
D%JD%J, xrefs: 003DBCA5
D%J, xrefs: 003DBDED, 003DBD91, 003DBD1B
D%J, xrefs: 003DBCA2

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%J$D%J$D%J$D%JD%J
API String ID: 1385522511-1923230720
Opcode ID: 98dffb545f9cd4de8221c7dacf7dd440e8133e447cedc0f3b1a474af8b265383
Instruction ID: c420726cd0ba990ed18f833459d54c90a9ffdc193af5df978b51f0d8b2b1b988
Opcode Fuzzy Hash: 98dffb545f9cd4de8221c7dacf7dd440e8133e447cedc0f3b1a474af8b265383
Instruction Fuzzy Hash: 53916C76A0020ADFCB19CF58E0906A9F7F6FF59310B26416ED941AB350D771ED81DB90

Function 00457B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 003F0242: EnterCriticalSection.KERNEL32(004A070C,004A1884,?,?,003E198B,004A2518,?,?,?,003D12F9,00000000), ref: 003F024D
Part of subcall function 003F0242: LeaveCriticalSection.KERNEL32(004A070C,?,003E198B,004A2518,?,?,?,003D12F9,00000000), ref: 003F028A

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

Part of subcall function 003F00A3: __onexit.LIBCMT ref: 003F00A9

__Init_thread_footer.LIBCMT ref: 00457BFB

Part of subcall function 003F01F8: EnterCriticalSection.KERNEL32(004A070C,?,?,003E8747,004A2514), ref: 003F0202
Part of subcall function 003F01F8: LeaveCriticalSection.KERNEL32(004A070C,?,003E8747,004A2514), ref: 003F0235

Strings

Variable must be of type 'Object'., xrefs: 00457C3A
+TB, xrefs: 00457E2E
5, xrefs: 00457C78
G, xrefs: 00457C7F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TB$5$G$Variable must be of type 'Object'.
API String ID: 535116098-798994924
Opcode ID: ebb0f8330ad2d64193db6f561cc4ac747db74a34dced82ade21228bb04d5e1cc
Instruction ID: d02e95ca211d7923158bfa343215f6f07e766071b74f13ab22dbef105b154dca
Opcode Fuzzy Hash: ebb0f8330ad2d64193db6f561cc4ac747db74a34dced82ade21228bb04d5e1cc
Instruction Fuzzy Hash: EB91AE70A04209AFCB05EF54E8919BDB7B1BF45305F10806AFC059B392DB79AE49CB59

Function 0043C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7620: _wcslen.LIBCMT ref: 003D7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0043C6EE
_wcslen.LIBCMT ref: 0043C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0043C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0043C7CA

Strings

0, xrefs: 0043C6AF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 50a646f0200cb044a84f02fd03708b697c0a996b82dae9d3e8e7b2bcf842c314
Instruction ID: 9a0f19a4a4d2b8b00c02a11b95b71be5c6431193ce9a8abf0c882d4b3de43570
Opcode Fuzzy Hash: 50a646f0200cb044a84f02fd03708b697c0a996b82dae9d3e8e7b2bcf842c314
Instruction Fuzzy Hash: C951B0716043429BD7159F28C8C5B6BB7E8AF4D310F042A2BF995E62E0DB68D904CB5A

Function 0045AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0045AEA3

Part of subcall function 003D7620: _wcslen.LIBCMT ref: 003D7625

GetProcessId.KERNEL32(00000000), ref: 0045AF38
CloseHandle.KERNEL32(00000000), ref: 0045AF67

Strings

<, xrefs: 0045AE6B
@, xrefs: 0045AE72

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: a628a2fe8499550222f20cb7cea4b3cc44303c1fc43184f46730398b00126677
Instruction ID: 3a11e017dcd3c66fd27114990bae2aabe9244470ddd5242f0d3736bec5d1f2f7
Opcode Fuzzy Hash: a628a2fe8499550222f20cb7cea4b3cc44303c1fc43184f46730398b00126677
Instruction Fuzzy Hash: AC716871A00219DFCB15EF54D485A9EBBF1FF08300F04859AE816AB392D774ED49CB95

Function 0043719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00437206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0043723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0043724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004372CF

Strings

DllGetClassObject, xrefs: 00437242

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 51baf74e491bff48b61276db4e7f440e14415dabf6e7dba5c9e507c6823732a5
Instruction ID: d18b8465b8c54ed284822cacb78bd65c2cddb7cafcd0cd63fe88904e1871225b
Opcode Fuzzy Hash: 51baf74e491bff48b61276db4e7f440e14415dabf6e7dba5c9e507c6823732a5
Instruction Fuzzy Hash: 97418FB1604204EFDB25CF54C884A9B7BA9EF48310F1490AEFD459F24AD7B8D945CBA4

Function 00462F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00462F8D
LoadLibraryW.KERNEL32(?), ref: 00462F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00462FA9
DestroyWindow.USER32(?), ref: 00462FB1

Strings

SysAnimate32, xrefs: 00462F68

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: b07ac73681f1cf161512ada5a49e30e3f17cc7ba4d1e4332ae7ac334835b887c
Instruction ID: 9e876c7ab99f670222cd751afd1c43c42802f107fc74928fef0a33f18e8ff90c
Opcode Fuzzy Hash: b07ac73681f1cf161512ada5a49e30e3f17cc7ba4d1e4332ae7ac334835b887c
Instruction Fuzzy Hash: A92101B1200605BBEF144F64DD80EBB37B8EF58324F10422AF950D6290E7B4CC41A76A

Function 003F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003F4D1E,004028E9,?,003F4CBE,004028E9,004988B8,0000000C,003F4E15,004028E9,00000002), ref: 003F4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003F4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,003F4D1E,004028E9,?,003F4CBE,004028E9,004988B8,0000000C,003F4E15,004028E9,00000002,00000000), ref: 003F4DC3

Strings

mscoree.dll, xrefs: 003F4D86
CorExitProcess, xrefs: 003F4D98

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a4f01ac42a91cef8483eda2a261bc7f187f882cb83e4437c472f78938f601a8c
Instruction ID: 96773a06b4f569004073a9a5beaa4f50222247c4b9005a226159a03657e8960e
Opcode Fuzzy Hash: a4f01ac42a91cef8483eda2a261bc7f187f882cb83e4437c472f78938f601a8c
Instruction Fuzzy Hash: 2FF0AF30A0020CBBDB159F94DC89BFEBBB4EF44712F0040A5F909A2261DB705940CB99

Function 003D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003D4EDD,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003D4EAE
FreeLibrary.KERNEL32(00000000,?,?,003D4EDD,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 003D4EA8
kernel32.dll, xrefs: 003D4E94

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1725efc53d0153f20da8b0330bbb700cf4963b3d9622f7fe7969930c9329f4e5
Instruction ID: 714607f00dd4f8c69c42e13a49db50f20f7a6dfdb08f82a851bceb1dd6dda9a6
Opcode Fuzzy Hash: 1725efc53d0153f20da8b0330bbb700cf4963b3d9622f7fe7969930c9329f4e5
Instruction Fuzzy Hash: 9BE08636A02522AB92231B257C58BBB6654AF82F6270A0127FC40D2204EBB4CD0144AA

Function 003D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00413CDE,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003D4E74
FreeLibrary.KERNEL32(00000000,?,?,00413CDE,?,004A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003D4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 003D4E6E
kernel32.dll, xrefs: 003D4E5B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 92ae1c9981eb6f652b84f358d47f6b13a8ec32ef5e589855efcdec328224c4d9
Instruction ID: 17695107e41efc1b03eaf2327dc3d05a8de50cde0a3cb956134a2d0813cbf06b
Opcode Fuzzy Hash: 92ae1c9981eb6f652b84f358d47f6b13a8ec32ef5e589855efcdec328224c4d9
Instruction Fuzzy Hash: 00D0C232502661774A231B24BC08EEB2B18AFC6F613060233F840A2214EFB4CD0189D9

Function 00442947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00442C05
DeleteFileW.KERNEL32(?), ref: 00442C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00442C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00442CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00442CC0

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9a664d14908c0f193b9d6154c3c9dcaecacd1a2588dec47805b7c7d135bbdca7
Instruction ID: 780ba702b022132197e8b3a917b48d5ce6760a7456e68b150fb8d89d68e227ac
Opcode Fuzzy Hash: 9a664d14908c0f193b9d6154c3c9dcaecacd1a2588dec47805b7c7d135bbdca7
Instruction Fuzzy Hash: 74B16D72D0011DABDF21DFA4CD85EEEBB7DEF48304F5040AAF609E6241EA749A448F65

Function 0045A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0045A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0045A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0045A468
CloseHandle.KERNEL32(?), ref: 0045A63D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 7cf6d9e55980fab07ded7b49698743957486ea64ffe3154fe8c584a3be085a7d
Instruction ID: 481f4a2eb66284698dbf98b3f46c25643d85d73e81c3e590a9e2de83f399efc8
Opcode Fuzzy Hash: 7cf6d9e55980fab07ded7b49698743957486ea64ffe3154fe8c584a3be085a7d
Instruction Fuzzy Hash: 63A1AB71604301AFD721DF24D882B2AB7E5AF84714F14891EF99A9B3D2D7B4EC45CB82

Function 0040BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00473700), ref: 0040BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0040BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004A1270,000000FF,?,0000003F,00000000,?), ref: 0040BC36
_free.LIBCMT ref: 0040BB7F

Part of subcall function 004029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000), ref: 004029DE
Part of subcall function 004029C8: GetLastError.KERNEL32(00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000,00000000), ref: 004029F0

_free.LIBCMT ref: 0040BD4B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: b203fbbed2d0eecd787304564c7fafa13ebe66a789194fbeb12ceb601d92cd8a
Instruction ID: 4d161b1fa53107bcdf6de46107f001226133a8555ff0e52e1cee3d0f8ba9816a
Opcode Fuzzy Hash: b203fbbed2d0eecd787304564c7fafa13ebe66a789194fbeb12ceb601d92cd8a
Instruction Fuzzy Hash: 9A51F8729042099FD710EFA59C81AAABBB8EF41310F10427FE550F72E1EB749D418B9C

Function 0043E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0043DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0043CF22,?), ref: 0043DDFD

Part of subcall function 0043DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0043CF22,?), ref: 0043DE16

Part of subcall function 0043E199: GetFileAttributesW.KERNEL32(?,0043CF95), ref: 0043E19A

lstrcmpiW.KERNEL32(?,?), ref: 0043E473
MoveFileW.KERNEL32(?,?), ref: 0043E4AC
_wcslen.LIBCMT ref: 0043E5EB
_wcslen.LIBCMT ref: 0043E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0043E650

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f455a663f81c73d6c284b3f023a8a5acac720394f5ae0c087c933c129e4d5e13
Instruction ID: 094b965ad8743383ef7cf148b2f321b4bfc1505b39eea383aa906ff1ebd5aebb
Opcode Fuzzy Hash: f455a663f81c73d6c284b3f023a8a5acac720394f5ae0c087c933c129e4d5e13
Instruction Fuzzy Hash: B051B5B24093455BC725EB91DC81AEF73DCAF98304F00092FF689D3191EF78A588875A

Function 0045B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

Part of subcall function 0045C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0045B6AE,?,?), ref: 0045C9B5
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045C9F1
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045CA68
Part of subcall function 0045C998: _wcslen.LIBCMT ref: 0045CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0045BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0045BB63
RegCloseKey.ADVAPI32(?,?), ref: 0045BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0045BBB3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: da7d04e0034083e963c8a588e95d4aad4ca727ff64ae51912d16aed8bb7fe273
Instruction ID: f29896ed86d0e1229efa2a01b1fcf6237967ff3ed6db0b18fef80255e8df5967
Opcode Fuzzy Hash: da7d04e0034083e963c8a588e95d4aad4ca727ff64ae51912d16aed8bb7fe273
Instruction Fuzzy Hash: AF61A131208241AFD715DF54C490E2ABBE5FF84308F14855EF8998B3A2DB75ED49CB92

Function 00438BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00438BCD
VariantClear.OLEAUT32 ref: 00438C3E
VariantClear.OLEAUT32 ref: 00438C9D
VariantClear.OLEAUT32(?), ref: 00438D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00438D3B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f436fc9266b001fa321a5c4b613bfbdf0d16c036c186cc2a8897c763d61ecc87
Instruction ID: ad7ca00a94db9a4d05508642e98a9069f1befd915168f4bc37ab34b93f7a446f
Opcode Fuzzy Hash: f436fc9266b001fa321a5c4b613bfbdf0d16c036c186cc2a8897c763d61ecc87
Instruction Fuzzy Hash: 815148B5A00219AFCB14CF58D884AAAB7F4FF8D310F15856AF905DB350EB34E911CB94

Function 00448AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00448BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00448BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00448C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00448C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00448C5F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8730b63489f7429f9a72ba8fa98c6c7f79a6b078f1de14a7ef9ba796f986a412
Instruction ID: 0e9d0e9cba7f85e76d78f1cfc3b0c01c4ac8ac19641a67cdbeac51affd4c1701
Opcode Fuzzy Hash: 8730b63489f7429f9a72ba8fa98c6c7f79a6b078f1de14a7ef9ba796f986a412
Instruction Fuzzy Hash: 62515A35A002159FDB01DF65D880A6EBBF5FF49314F08809AE849AF3A2DB35ED41CB91

Function 00458EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00458F40
GetProcAddress.KERNEL32(00000000,?), ref: 00458FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00458FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00459032
FreeLibrary.KERNEL32(00000000), ref: 00459052

Part of subcall function 003EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00441043,?,7529E610), ref: 003EF6E6
Part of subcall function 003EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0042FA64,00000000,00000000,?,?,00441043,?,7529E610,?,0042FA64), ref: 003EF70D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 16e94d78e2efe4845cc30b63b3f5d4fdd9e207089a012716253cbd90b9cfbde0
Instruction ID: 72d633c3245c33ee1e44b0c397673faff32f933513fc64019503aca26529efe0
Opcode Fuzzy Hash: 16e94d78e2efe4845cc30b63b3f5d4fdd9e207089a012716253cbd90b9cfbde0
Instruction Fuzzy Hash: 8E514A36600205DFC701DF54D4948ADBBB1FF49315B0481AAE806AF362DB35ED8ACF95

Function 00466B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00466C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00466C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00466C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0044AB79,00000000,00000000), ref: 00466C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00466CC7

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 7788941718b42cd04eb61fca16d2114039365c920206d3624428988c6682868b
Instruction ID: 1ce1209c113f7856c8123e3e80d91b9b845b7a067f64b1da2ba53b21817c8ea8
Opcode Fuzzy Hash: 7788941718b42cd04eb61fca16d2114039365c920206d3624428988c6682868b
Instruction Fuzzy Hash: B541E835604514AFD724CF28CC94FB67FA9EB09350F16022AF895A73E0E375ED41CA4A

Function 00402051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004020C3
_free.LIBCMT ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 053fb64e8f1ec6cf5067bda59c8ddd519170435bb1cae57bfc5c521b053aa31d
Instruction ID: 577d331ca92d43a37aaeba8767786e7a1a266de3cde3c43c6ce2bc94384dab73
Opcode Fuzzy Hash: 053fb64e8f1ec6cf5067bda59c8ddd519170435bb1cae57bfc5c521b053aa31d
Instruction Fuzzy Hash: 1D41D172A002009FCB20DF79CA84A5EB3B5EF89314F1585BAE615EB3D1D675AD01CB84

Function 003E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003E9141
ScreenToClient.USER32(00000000,?), ref: 003E915E
GetAsyncKeyState.USER32(00000001), ref: 003E9183
GetAsyncKeyState.USER32(00000002), ref: 003E919D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ec3da949ebc12275431788f30faace546bef9a1588387cbf48faa15dfbf9123b
Instruction ID: 804abb040a31faca630ce102364b0b0df5eccf480bd142b4786509a2c88aa790
Opcode Fuzzy Hash: ec3da949ebc12275431788f30faace546bef9a1588387cbf48faa15dfbf9123b
Instruction Fuzzy Hash: 56416E31A0852AFBDF059F65D844BFEB774FF05324F20832AE429A62D0D7745950CB56

Function 00443874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004438CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00443922
TranslateMessage.USER32(?), ref: 0044394B
DispatchMessageW.USER32(?), ref: 00443955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00443966

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 6c628f69d499305416f4365fb748e030a3d833e478e7e1a640002711793d8f7a
Instruction ID: 326b58a8d3b0061dea2013185dd6ed94c8ececa804c000b760f817768306b4c2
Opcode Fuzzy Hash: 6c628f69d499305416f4365fb748e030a3d833e478e7e1a640002711793d8f7a
Instruction Fuzzy Hash: D431AAB05043429EFB25DF359848B777BE8AB16B06F04457FD462822A0E7FC9645CB19

Function 0044CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0044C21E,00000000), ref: 0044CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0044CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0044C21E,00000000), ref: 0044CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0044C21E,00000000), ref: 0044CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0044C21E,00000000), ref: 0044CFF2

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 9d262b0504be524cdcb83e549c0ba31d19b3e632c600a7a89d7b774cc72f5db2
Instruction ID: 2ed031ce93f35e86602db94c9720d2ae897127d805fa2399a3d39c93ec5e6d16
Opcode Fuzzy Hash: 9d262b0504be524cdcb83e549c0ba31d19b3e632c600a7a89d7b774cc72f5db2
Instruction Fuzzy Hash: DB318071601205EFEB60DFA5C8C4AABBBF9EB14311B14442FF506D3281E778AD45DB68

Function 00431901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00431915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004319C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004319C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004319DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004319E2

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b90986f1fd9e9816c639a0764b648df131ed2f9333c125cba308b706f86a4461
Instruction ID: a495ee98271ff7c488e425dd0c7fb8207c900084d1299f51fe0646be0d1618e5
Opcode Fuzzy Hash: b90986f1fd9e9816c639a0764b648df131ed2f9333c125cba308b706f86a4461
Instruction Fuzzy Hash: E531E4B1900219EFCB00CFA8CD98BEE3BB5EF08315F105226F961A72E0D7B49954CB95

Function 00465706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00465745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0046579D
_wcslen.LIBCMT ref: 004657AF
_wcslen.LIBCMT ref: 004657BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00465816

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e4718321a14f455f3a3a1d46769100a6ff43bd3b1e69f7a07cd5422d0c0aa90c
Instruction ID: 823b0c16976a95848d8d6d145fc33b076b9c1b45e9a62a3f304a1f54075284d3
Opcode Fuzzy Hash: e4718321a14f455f3a3a1d46769100a6ff43bd3b1e69f7a07cd5422d0c0aa90c
Instruction Fuzzy Hash: FF21A575904618DADB20DF60CC84AEE77B8FF04725F108257E929EB280F7789985CF5A

Function 00450930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00450951
GetForegroundWindow.USER32 ref: 00450968
GetDC.USER32(00000000), ref: 004509A4
GetPixel.GDI32(00000000,?,00000003), ref: 004509B0
ReleaseDC.USER32(00000000,00000003), ref: 004509E8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8adb8bc6970f500309f965df73e732dc665c3c1e16b11d877062894728c7d41f
Instruction ID: 16fe7b026d2ba16ab3bd5f9cb9a11d6718f1ef7ea351664d5c6373f54ca62e55
Opcode Fuzzy Hash: 8adb8bc6970f500309f965df73e732dc665c3c1e16b11d877062894728c7d41f
Instruction Fuzzy Hash: 7321817A600204AFD704EF65D984AAEBBE9EF45701F14807DE84AD7362DB74AC44CB94

Function 0040CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0040CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040CDE9

Part of subcall function 00403820: RtlAllocateHeap.NTDLL(00000000,?,004A1444,?,003EFDF5,?,?,003DA976,00000010,004A1440,003D13FC,?,003D13C6,?,003D1129), ref: 00403852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040CE0F
_free.LIBCMT ref: 0040CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040CE31

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b4d95061f3034c5e02b24d117d55e4c70d186b34ce1d4a1bd5cbade792168674
Instruction ID: 16e5ee8c92280b5845a337d109be9060333224b997441015e6229d5f0f962af3
Opcode Fuzzy Hash: b4d95061f3034c5e02b24d117d55e4c70d186b34ce1d4a1bd5cbade792168674
Instruction Fuzzy Hash: 0C01B572601215BFA32127B6ACCCC7B696DDEC6BA1315023BFD05E6280EA788D0191F9

Function 003E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003E9693
SelectObject.GDI32(?,00000000), ref: 003E96A2
BeginPath.GDI32(?), ref: 003E96B9
SelectObject.GDI32(?,00000000), ref: 003E96E2

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 45c551ad499150867f350f169ec45ad647ee45621588e7b4cdb5ef4c20842b55
Instruction ID: f22e7deb9f74953a809cae25b9a6ac94ecd497471237dd921d177bf6a8364f1f
Opcode Fuzzy Hash: 45c551ad499150867f350f169ec45ad647ee45621588e7b4cdb5ef4c20842b55
Instruction Fuzzy Hash: 422160B0802255EFDB129F65EC547AA3F6DBB02365F100327F410961F0D3745991CF99

Function 00435711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00435726
_memcmp.LIBVCRUNTIME ref: 00435744
_memcmp.LIBVCRUNTIME ref: 00435757
_memcmp.LIBVCRUNTIME ref: 0043576F
_memcmp.LIBVCRUNTIME ref: 00435787

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4109470cef203de24854ca640495920b87c2da46f078819aa936f92911871826
Instruction ID: 9ae45ffc2596c1e79efcff022cd09a9dc9313fd90a68488b3209c114567a9c44
Opcode Fuzzy Hash: 4109470cef203de24854ca640495920b87c2da46f078819aa936f92911871826
Instruction Fuzzy Hash: 5501F565245A09FBE2085510AD82FBF734D9B35394F500033FE049E641F728ED15C2EA

Function 00402DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,003FF2DE,00403863,004A1444,?,003EFDF5,?,?,003DA976,00000010,004A1440,003D13FC,?,003D13C6), ref: 00402DFD
_free.LIBCMT ref: 00402E32
_free.LIBCMT ref: 00402E59
SetLastError.KERNEL32(00000000,003D1129), ref: 00402E66
SetLastError.KERNEL32(00000000,003D1129), ref: 00402E6F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7e8aad321f5cae4c7de070ad94cbf44be5c675581a8598e654538ce7e3a7930c
Instruction ID: 6da37b168651b4c2c574f6230c90ea0deb058d225b89b3e2166e4a39e64d9205
Opcode Fuzzy Hash: 7e8aad321f5cae4c7de070ad94cbf44be5c675581a8598e654538ce7e3a7930c
Instruction Fuzzy Hash: 4401F97628560067C6122736AE8ED2B265DABD13A9721003FF855B23D3EAFC8C0141AD

Function 0043000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?,?,?,0043035E), ref: 0043002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?,?), ref: 00430046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?,?), ref: 00430054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?), ref: 00430064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0042FF41,80070057,?,?), ref: 00430070

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3e0ac66abef530fdefd9b48d0598e93c59122dfdbbba49ba898ed650a80b3be6
Instruction ID: 2a0b5bd12144a89b7a495e437d28d516aa19106f1f8280be73d82fcfa545628c
Opcode Fuzzy Hash: 3e0ac66abef530fdefd9b48d0598e93c59122dfdbbba49ba898ed650a80b3be6
Instruction Fuzzy Hash: A501A272600214BFDB245F68EC84BBA7AFDEF48752F145225F945D3210E7B9DD408BA4

Function 0043E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0043E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0043E9A5
Sleep.KERNEL32(00000000), ref: 0043E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0043E9B7
Sleep.KERNEL32 ref: 0043E9F3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1d3be29ec1afddc5306e25fb1d02214fa566e2b09ef840b85dbbbc3fab748239
Instruction ID: 00bdb2efce817e168c68decbd44896b2eda795fe88c7d821cf6718ed8d2b0ff0
Opcode Fuzzy Hash: 1d3be29ec1afddc5306e25fb1d02214fa566e2b09ef840b85dbbbc3fab748239
Instruction Fuzzy Hash: BD016D71C02529DBCF00AFE6DD996EDBB78FF0E301F000556E542B2280DB789552CBAA

Function 004310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00431114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 00431120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 0043112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00430B9B,?,?,?), ref: 00431136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0043114D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f9793eab14787b9cda371bf59cd801f1388d756c78ce97c174f5e5369515fd06
Instruction ID: 08fe2823703191cba52dd44bdb5967efff0176270fce56e6af0bd936816ff0fe
Opcode Fuzzy Hash: f9793eab14787b9cda371bf59cd801f1388d756c78ce97c174f5e5369515fd06
Instruction Fuzzy Hash: B9011D75200205BFDB114FA5DC89AAB3B6EEF89361B104425FA85D7360EA71DC409E65

Function 00430FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00430FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00430FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00430FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00430FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00431002

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: db3bd2373927d53324cf79c58a627eaf3d0f21f3315b92549dfff8cd00d92c82
Instruction ID: 88a4a7a98290923165713ce8533c340f27651757cb6a8d27a12f38f30c01508a
Opcode Fuzzy Hash: db3bd2373927d53324cf79c58a627eaf3d0f21f3315b92549dfff8cd00d92c82
Instruction Fuzzy Hash: 65F0AF35200301BBD7210FA59C89F673B6DEF8A761F100425F985D6260DAB1DC408A64

Function 00431014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0043102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00431036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00431045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0043104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00431062

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b96a5695c3722cbefd11ca2a926246e9474644b4e3c4331b138977551d924e2f
Instruction ID: e985e4127651a886b94b4bd50a79d9b48a5beb0538854a63a5c49ff9317089db
Opcode Fuzzy Hash: b96a5695c3722cbefd11ca2a926246e9474644b4e3c4331b138977551d924e2f
Instruction Fuzzy Hash: 18F0C235200301FBD7211FA5EC88F673B6DEF8A761F100425F985E7360DAB1D8408A64

Function 0044030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0044017D,?,004432FC,?,00000001,00412592,?), ref: 00440324
CloseHandle.KERNEL32(?,?,?,?,0044017D,?,004432FC,?,00000001,00412592,?), ref: 00440331
CloseHandle.KERNEL32(?,?,?,?,0044017D,?,004432FC,?,00000001,00412592,?), ref: 0044033E
CloseHandle.KERNEL32(?,?,?,?,0044017D,?,004432FC,?,00000001,00412592,?), ref: 0044034B
CloseHandle.KERNEL32(?,?,?,?,0044017D,?,004432FC,?,00000001,00412592,?), ref: 00440358
CloseHandle.KERNEL32(?,?,?,?,0044017D,?,004432FC,?,00000001,00412592,?), ref: 00440365

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 03c6cb8e615f666533e4de84509066c66abe6bf2cb899d7910bce0272b57108a
Instruction ID: 5218a5e8ec9c4edf74afa8e028fae350d4f9c9ee19f8119df492b07a7d9cce82
Opcode Fuzzy Hash: 03c6cb8e615f666533e4de84509066c66abe6bf2cb899d7910bce0272b57108a
Instruction Fuzzy Hash: C901A272800B159FD7309F66D890413FBF5BF503153158A3FD69652A31C7B5A964CF84

Function 0040D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0040D752

Part of subcall function 004029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000), ref: 004029DE
Part of subcall function 004029C8: GetLastError.KERNEL32(00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000,00000000), ref: 004029F0

_free.LIBCMT ref: 0040D764
_free.LIBCMT ref: 0040D776
_free.LIBCMT ref: 0040D788
_free.LIBCMT ref: 0040D79A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a733936558b4e7f034bfb647dd90d9115670b2c705fc32e3ebf609e77f995b27
Instruction ID: 1049caf88f4489aca2ebf3c1adae43ea4b1401d1eeb5f3bc149a6aa27d011c3d
Opcode Fuzzy Hash: a733936558b4e7f034bfb647dd90d9115670b2c705fc32e3ebf609e77f995b27
Instruction Fuzzy Hash: 0CF0CDB2A542046BC611FBA9FAC5C1677D9BB547157A4083BF044F76C1C678F844466C

Function 00435C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00435C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00435C6F
MessageBeep.USER32(00000000), ref: 00435C87
KillTimer.USER32(?,0000040A), ref: 00435CA3
EndDialog.USER32(?,00000001), ref: 00435CBD

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 34827ed371202892110c5966eeea02b3473f8a62f5b7a9795cf9cc8211c074b5
Instruction ID: 1c5be01a2792e1f406bb2eb359c4d4766bfaaf5ecdca3ca709a5d0627d7fa18c
Opcode Fuzzy Hash: 34827ed371202892110c5966eeea02b3473f8a62f5b7a9795cf9cc8211c074b5
Instruction Fuzzy Hash: A6018630500B04ABFB215B10DD8EFA677B8BB04B05F04256BE583A15E1EBF4A985CA99

Function 004022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004022BE

Part of subcall function 004029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000), ref: 004029DE
Part of subcall function 004029C8: GetLastError.KERNEL32(00000000,?,0040D7D1,00000000,00000000,00000000,00000000,?,0040D7F8,00000000,00000007,00000000,?,0040DBF5,00000000,00000000), ref: 004029F0

_free.LIBCMT ref: 004022D0
_free.LIBCMT ref: 004022E3
_free.LIBCMT ref: 004022F4
_free.LIBCMT ref: 00402305

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0dbda31450471dade8cebd134a4fe63302b2db4b6d7f7d862e7f0d13e3302393
Instruction ID: 0c23d57fa02eacb8c95277feecd73a30c4b293daade98dedb172a2b75e96a80a
Opcode Fuzzy Hash: 0dbda31450471dade8cebd134a4fe63302b2db4b6d7f7d862e7f0d13e3302393
Instruction Fuzzy Hash: 6EF03AF59201208FCA12BF55BD499493F64B72A761B50057FF410F32F1C7B84811ABAC

Function 003E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003E95D4
StrokeAndFillPath.GDI32(?,?,004271F7,00000000,?,?,?), ref: 003E95F0
SelectObject.GDI32(?,00000000), ref: 003E9603
DeleteObject.GDI32 ref: 003E9616
StrokePath.GDI32(?), ref: 003E9631

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b30e257d51284190f1910d59a7e493c6f51b884f47018f1cbe3d8131dbf75958
Instruction ID: 94a1b27b045be775407b89bd72ccdcb8a5fe3b8561af1b5005ec11a30203594b
Opcode Fuzzy Hash: b30e257d51284190f1910d59a7e493c6f51b884f47018f1cbe3d8131dbf75958
Instruction Fuzzy Hash: 8AF03C70006244EBDB125F66ED5C7B63F69AB02372F048336F465590F0D7748995DF29

Function 00400F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004010F9
__freea.LIBCMT ref: 00401117

Part of subcall function 00401537: _free.LIBCMT ref: 0040154F

Strings

a/p, xrefs: 004011DE
am/pm, xrefs: 0040117A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 7c2fb57b90ec4f0d4fd64a631442acfeb411cf0d2f1b74281f8e039228877ddb
Instruction ID: d2786116ac30ce35a34639a80ac6b7a9fe73737a7a260ee6b1930f113c479f86
Opcode Fuzzy Hash: 7c2fb57b90ec4f0d4fd64a631442acfeb411cf0d2f1b74281f8e039228877ddb
Instruction Fuzzy Hash: 54D1D2319002069AEB289F68C855BBBB7B5FF05300F24417BE941BBBE1D27D9D81CB59

Function 004561D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 003F0242: EnterCriticalSection.KERNEL32(004A070C,004A1884,?,?,003E198B,004A2518,?,?,?,003D12F9,00000000), ref: 003F024D
Part of subcall function 003F0242: LeaveCriticalSection.KERNEL32(004A070C,?,003E198B,004A2518,?,?,?,003D12F9,00000000), ref: 003F028A

Part of subcall function 003F00A3: __onexit.LIBCMT ref: 003F00A9

__Init_thread_footer.LIBCMT ref: 00456238

Part of subcall function 003F01F8: EnterCriticalSection.KERNEL32(004A070C,?,?,003E8747,004A2514), ref: 003F0202
Part of subcall function 003F01F8: LeaveCriticalSection.KERNEL32(004A070C,?,003E8747,004A2514), ref: 003F0235

Part of subcall function 0044359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004435E4
Part of subcall function 0044359C: LoadStringW.USER32(004A2390,?,00000FFF,?), ref: 0044360A

Strings

x#J, xrefs: 0045636F
x#J, xrefs: 00456353
x#J, xrefs: 0045633A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#J$x#J$x#J
API String ID: 1072379062-2892114158
Opcode ID: 8ed660bbd63b73c0f359012c30098e8600ac7824abc51f35016a164938ac8685
Instruction ID: 033a38daef1aca50e01b0776ef27f4f9b28a0c108c71c3e5bb5fdd2b8c76e699
Opcode Fuzzy Hash: 8ed660bbd63b73c0f359012c30098e8600ac7824abc51f35016a164938ac8685
Instruction Fuzzy Hash: 75C19D71A00109AFCB15DF58D890EBEB7B9EF49300F51806AF9059B392EB74ED49CB94

Function 00405AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO=, xrefs: 00405BA8, 00405C6C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: JO=
API String ID: 0-2915421919
Opcode ID: b757866c5db22ae64d3dcce946a897d1eebdfb488e8b2f5796bbc951aaa2ac7f
Instruction ID: 7c4e0c817141601a500e16cdc691bb90314546b9f4dffa6c799ae25cb8949c11
Opcode Fuzzy Hash: b757866c5db22ae64d3dcce946a897d1eebdfb488e8b2f5796bbc951aaa2ac7f
Instruction Fuzzy Hash: 9C51D075904609AFDB119FA5C849ABF7BB8EF05314F14042BF804BB2D1D679A901CF6A

Function 00408A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00408B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00408B7A
__dosmaperr.LIBCMT ref: 00408B81

Strings

.?, xrefs: 00408A63

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .?
API String ID: 2434981716-532706291
Opcode ID: 5f97729e496f3d71715c8040c03aec41be783e7d0ddaa98a31c60da9e867d137
Instruction ID: ec649edd6021b70c641133f5ba4e57ccebd5254c737fd8b63e3eae5193cc98df
Opcode Fuzzy Hash: 5f97729e496f3d71715c8040c03aec41be783e7d0ddaa98a31c60da9e867d137
Instruction Fuzzy Hash: 4E415B70604155AFDB249F24C980A7A7FB5DF86304B2845BFF8C5A7692DE399C028B98

Function 00432716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004321D0,?,?,00000034,00000800,?,00000034), ref: 0043B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00432760

Part of subcall function 0043B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0043B3F8

Part of subcall function 0043B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0043B355
Part of subcall function 0043B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00432194,00000034,?,?,00001004,00000000,00000000), ref: 0043B365
Part of subcall function 0043B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00432194,00000034,?,?,00001004,00000000,00000000), ref: 0043B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004327CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043281A

Strings

@, xrefs: 00432832

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c886f5dc10a85cf9d9b4ac214a708f67decd93e939e29280f467a8e3e9da1413
Instruction ID: 198f422c7dd3e6cb031bbc1be694443bea56876e7f39ea1c674d1de29b77cd4f
Opcode Fuzzy Hash: c886f5dc10a85cf9d9b4ac214a708f67decd93e939e29280f467a8e3e9da1413
Instruction Fuzzy Hash: F1414C72900218BFDB10DBA4CD81BEEBBB8EF09300F10505AFA55B7181DBB46E45CBA5

Function 0040172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\random.exe,00000104), ref: 00401769
_free.LIBCMT ref: 00401834
_free.LIBCMT ref: 0040183E

Strings

C:\Users\user\Desktop\random.exe, xrefs: 00401760, 00401767, 00401796, 004017CE

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\random.exe
API String ID: 2506810119-2496027944
Opcode ID: 9f3082ea88e68a77d3e9ceb760dcfc642096e69958e011bd5858be05c393b703
Instruction ID: e4595086ad74b1e95a86cf982bdbd427a8b7df9774e7a78217c171d481363aa8
Opcode Fuzzy Hash: 9f3082ea88e68a77d3e9ceb760dcfc642096e69958e011bd5858be05c393b703
Instruction Fuzzy Hash: 02316576A00218EFDB21DF959885D9FBBFCEB85310F1441BBF904A72A1D6748E40CB99

Function 0043C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0043C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0043C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004A1990,018154F0), ref: 0043C395

Strings

0, xrefs: 0043C2DF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 278d6ca2abf2044c823072903df4da506bf36bfe66eaf268db1d7dfae44c3ba6
Instruction ID: 27b5bf724cb4bacdecd57fefacc05821919f3ee537fc7f2296db040853f444e4
Opcode Fuzzy Hash: 278d6ca2abf2044c823072903df4da506bf36bfe66eaf268db1d7dfae44c3ba6
Instruction Fuzzy Hash: EF419F712043019FD720DF25D884B2BBBE4AB89314F14961EF9A5A7391D774A904CB5A

Function 00464416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0046CC08,00000000,?,?,?,?), ref: 004644AA
GetWindowLongW.USER32 ref: 004644C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004644D7

Strings

SysTreeView32, xrefs: 0046447C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7db30a80e638f29290997edba4a93f764504ec9a8f61bdb345ff735288daecfb
Instruction ID: 966c724929d26cf4b5f13b0da195aa65c89d9e9871c130bb8f53e9df39cc171e
Opcode Fuzzy Hash: 7db30a80e638f29290997edba4a93f764504ec9a8f61bdb345ff735288daecfb
Instruction Fuzzy Hash: CA31B231210605AFDF119E38DC46BEB7BA9EB49334F204326F975922D0EB74EC509755

Function 00436E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00436EED
VariantCopyInd.OLEAUT32(?,?), ref: 00436F08
VariantClear.OLEAUT32(?), ref: 00436F12

Strings

*jC, xrefs: 00436E8B, 00436E90, 00436EF8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jC
API String ID: 2173805711-3126626595
Opcode ID: 02b0bd7790b5eb0b0ca4ec9ccc683318a8d860d86288ec473dceff6ae273be77
Instruction ID: 4d7f18135a40faa85adc5c99d7b982eb6a2f43d4a15bdb179aeb63aac8816a0f
Opcode Fuzzy Hash: 02b0bd7790b5eb0b0ca4ec9ccc683318a8d860d86288ec473dceff6ae273be77
Instruction Fuzzy Hash: C531C472704246EFCB05AF54E8908BE7776EF49300F11446AF80A4F3A1DB389912DBD9

Function 0045304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00453077,?,?), ref: 00453378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0045307A
_wcslen.LIBCMT ref: 0045309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00453106

Strings

255.255.255.255, xrefs: 00453095, 0045309A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 932344ef143787ed4a6315596567c6f6d9b23bcad73ad5752da56720391008db
Instruction ID: 3307a8a54e11b2fcecebae1ab036805106837adb0bf528fe326dcbfdb629959c
Opcode Fuzzy Hash: 932344ef143787ed4a6315596567c6f6d9b23bcad73ad5752da56720391008db
Instruction Fuzzy Hash: 6131B2362002059FCB20DF28C485AAA77E0EF1479AF24805AED158B393D779EE49C765

Function 00464653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00464705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00464713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0046471A

Strings

msctls_updown32, xrefs: 00464684

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c0db89d2631697ffb263e17e3560d5a452433a2fff166dea7dd5fa48b4a49b55
Instruction ID: c0f561468aa89aa10c8a7fa1ef6ecf79b05eacb3f09470219e0b8e1079606bb7
Opcode Fuzzy Hash: c0db89d2631697ffb263e17e3560d5a452433a2fff166dea7dd5fa48b4a49b55
Instruction Fuzzy Hash: A5215EB5600209AFDB11DF64DCD1DB73BADEB9A394B04005AFA009B361DB74EC51CA69

Function 004395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043961D

Strings

#notrayicon, xrefs: 004395B7
#OnAutoItStartRegister, xrefs: 004395F3
#requireadmin, xrefs: 004395D9

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3a5ea79aa03e3d8e7d878105c9f889d12f67696f24a235da13dee864fd459a2a
Instruction ID: 2eb75552a02f89655ebc1e9950ea2043870b3b96eaa044f71d8722d670381887
Opcode Fuzzy Hash: 3a5ea79aa03e3d8e7d878105c9f889d12f67696f24a235da13dee864fd459a2a
Instruction Fuzzy Hash: 6B215E3310561066D332AB249C03FB773D89F69300F545027F9499B281FBD9AD85C69E

Function 004637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00463840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00463850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00463876

Strings

Listbox, xrefs: 0046380F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 6f82bf58fb9fbf340f93145c634a79b318bb0e1feafe8da03cceed6bc69cd89f
Instruction ID: e4fcddb1753ca2f9195193a656f2c035c1268a057c895587061a884ff15f6d82
Opcode Fuzzy Hash: 6f82bf58fb9fbf340f93145c634a79b318bb0e1feafe8da03cceed6bc69cd89f
Instruction Fuzzy Hash: BA210472600118BBEF119F54CC81FFB37AEEF89751F108125F9009B290D6B5DC5287A5

Function 004449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00444A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00444A5C
SetErrorMode.KERNEL32(00000000,?,?,0046CC08), ref: 00444AD0

Strings

%lu, xrefs: 00444A6F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: bb18ec3c127ce52305d12dfa699776687eb59bd595dc496cdeface89f5dd6d2e
Instruction ID: 71c2212dcb7b3203f31dba1ffa279d098ece82632334af6a3fb0687534401e26
Opcode Fuzzy Hash: bb18ec3c127ce52305d12dfa699776687eb59bd595dc496cdeface89f5dd6d2e
Instruction Fuzzy Hash: F4318071A00108AFDB11DF54C885EAA7BF8EF49308F1440AAE805EF362DB75ED45CB65

Function 004641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0046424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00464264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00464271

Strings

msctls_trackbar32, xrefs: 00464226

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b7446496dff812bb671be0ff58eecf49c95fe2bfebe78d4357d48e5f20b33d25
Instruction ID: 05acd94da4d41e4e5d9eaf34c75cd84d4cbd9f9f5c8324b98f1937a86b8a7a72
Opcode Fuzzy Hash: b7446496dff812bb671be0ff58eecf49c95fe2bfebe78d4357d48e5f20b33d25
Instruction Fuzzy Hash: 0F110A312402087EEF205F25CC46FAB3BACEFD5764F110125FA55E6190E2B5DC519718

Function 00432F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

Part of subcall function 00432DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00432DC5
Part of subcall function 00432DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00432DD6
Part of subcall function 00432DA7: GetCurrentThreadId.KERNEL32 ref: 00432DDD
Part of subcall function 00432DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00432DE4

GetFocus.USER32 ref: 00432F78

Part of subcall function 00432DEE: GetParent.USER32(00000000), ref: 00432DF9

GetClassNameW.USER32(?,?,00000100), ref: 00432FC3
EnumChildWindows.USER32(?,0043303B), ref: 00432FEB

Strings

%s%d, xrefs: 00432FFF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9f213c79fc168b3c47d07cc7e5b4521b01a9a4215f41a60f9d334fd615a26c27
Instruction ID: ce80f74d99c440cad16c8000c944ed4162147e68a4b4b299561e15c6fbe3f760
Opcode Fuzzy Hash: 9f213c79fc168b3c47d07cc7e5b4521b01a9a4215f41a60f9d334fd615a26c27
Instruction Fuzzy Hash: DA11D2712002056BCF05BF61DCD6FEE376AAF88315F04507BF9099B292DEB899058B78

Function 00465882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004658C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004658EE
DrawMenuBar.USER32(?), ref: 004658FD

Strings

0, xrefs: 0046588F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: db3a2433cf7afb4a785d8d58ac364fab561a70e9c746e7912fa64e3e4472799b
Instruction ID: 11d71bfc31c2e10a963d7830004fa40dc70b81716a9d9f1ca0b56c109efcd063
Opcode Fuzzy Hash: db3a2433cf7afb4a785d8d58ac364fab561a70e9c746e7912fa64e3e4472799b
Instruction Fuzzy Hash: AF016171500258EFDB119F11DC44BAFBBB4FB45360F1080AAE849DA251EB749A84DF36

Function 0043007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b696a69949875798adff2754a300b4d1799851bba25d7074144f16b06debfaad
Instruction ID: be4de96a86dead85e7a0ff20ebfa9000df5a84078b8fa0545aaa55cd555b72e4
Opcode Fuzzy Hash: b696a69949875798adff2754a300b4d1799851bba25d7074144f16b06debfaad
Instruction Fuzzy Hash: 61C17C75A0020AEFDB14CFA4C8A4EAEB7B5FF48704F209699E805EB251D735ED41CB94

Function 0045342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00453459
CoUninitialize.OLE32 ref: 00453463
VariantInit.OLEAUT32(?), ref: 0045346E
VariantClear.OLEAUT32(?), ref: 0045371B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: b0db27552a1e870f93940996d4582c23e317843fdfba6f6b3716768ffda718d0
Instruction ID: 180fa0f66ba25d35e59b8b55e9277aa8dc83425f14b747ad22115bdf3cf0ba96
Opcode Fuzzy Hash: b0db27552a1e870f93940996d4582c23e317843fdfba6f6b3716768ffda718d0
Instruction Fuzzy Hash: E3A19B762042009FC711DF24D481A2AB7E5FF89355F04895EFC8A9B362EB34EE05CB96

Function 00430436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0046FC08,?), ref: 004305F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0046FC08,?), ref: 00430608
CLSIDFromProgID.OLE32(?,?,00000000,0046CC40,000000FF,?,00000000,00000800,00000000,?,0046FC08,?), ref: 0043062D
_memcmp.LIBVCRUNTIME ref: 0043064E

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 997b728157891c79e133f2435963d4da6eb5241f092b8c4ce72fbb94a0891a86
Instruction ID: cb9866647792de07ad87e619b6de4c6c486343ece7171d4b7225337cc5f8c353
Opcode Fuzzy Hash: 997b728157891c79e133f2435963d4da6eb5241f092b8c4ce72fbb94a0891a86
Instruction Fuzzy Hash: 6F814971A00209EFCB04DF94C994EEEB7B9FF89315F204199E506AB250DB75AE06CB64

Function 0045A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0045A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0045A6BA

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0045A79C
CloseHandle.KERNEL32(00000000), ref: 0045A7AB

Part of subcall function 003ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00413303,?), ref: 003ECE8A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 1940dd45632f885acaa4b961f7a92ce7f8a4c81af6aeba22da85285783af90e3
Instruction ID: d40d2d19a092b41ade10cd0a181f2a8ad33d5884d0610934a70f44fe57e5aa4a
Opcode Fuzzy Hash: 1940dd45632f885acaa4b961f7a92ce7f8a4c81af6aeba22da85285783af90e3
Instruction Fuzzy Hash: A55170715083009FD311EF25D886A6BBBE8FF89754F00492EF99597392EB70D904CB92

Function 00411391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004114C0

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d50cf024b78455fa0e06f91bdcd3129f975d36353e1b347b5f1fbcc9cb5239dd
Instruction ID: d59887ca2acf1c1949dbbd004a6b19ba90e28f8afe2f38188fbd081b8d2e4cf0
Opcode Fuzzy Hash: d50cf024b78455fa0e06f91bdcd3129f975d36353e1b347b5f1fbcc9cb5239dd
Instruction Fuzzy Hash: D0417C356001047BDB226BF98C45AFF3AA5EF41734F14063BFA18D62F2E67C4881476A

Function 00466278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004662E2
ScreenToClient.USER32(?,?), ref: 00466315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00466382

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f040873f2c1b2411e7bdc35dbd902867291744e051977328158ca9fe99361e14
Instruction ID: 0869e532a80270f7cf3f7c96e887886ea7b27e97ad5de2e763dd6a2fb86400c2
Opcode Fuzzy Hash: f040873f2c1b2411e7bdc35dbd902867291744e051977328158ca9fe99361e14
Instruction Fuzzy Hash: F7512975A00209AFCF10DF68D8809AF7BB6EB45364F11826AF8559B3A0E734ED81CB55

Function 00451AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00451AFD
WSAGetLastError.WSOCK32 ref: 00451B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00451B8A
WSAGetLastError.WSOCK32 ref: 00451B94

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a0984c67a16530fce649ae5c04613e575e55d826b521aee8fbd77a512c2d13cc
Instruction ID: d19b026ffaa6d91c5083137435021aac3f871bf045ec7d0c50a2853f5c904474
Opcode Fuzzy Hash: a0984c67a16530fce649ae5c04613e575e55d826b521aee8fbd77a512c2d13cc
Instruction Fuzzy Hash: 4B411235600200AFE721AF20D886F3A77E5AB44708F548449F91A9F3D3E7B6ED41CB91

Function 0040B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7deaa14f6ba7fda9697d0621c2e49308180bc872722d044279ca1a7474f64cf
Instruction ID: d277bb0e3dcf0fbb1e045119279949817113986cd52a919c254e210f70cb50c3
Opcode Fuzzy Hash: c7deaa14f6ba7fda9697d0621c2e49308180bc872722d044279ca1a7474f64cf
Instruction Fuzzy Hash: 8041F271A00304BFD7249F78CC41BAABBA9EB88714F10857FF545AB2D1D3799A0187C8

Function 004456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00445783
GetLastError.KERNEL32(?,00000000), ref: 004457A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004457CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004457FA

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 124b68e4cfeceb6edef3001c287b0473e2d3389d31ada0d207d9cb71eb845454
Instruction ID: 1273a257b548a7a9ef2c29af0b6979a7831862d01616d818fb3610ced3f9d6b1
Opcode Fuzzy Hash: 124b68e4cfeceb6edef3001c287b0473e2d3389d31ada0d207d9cb71eb845454
Instruction Fuzzy Hash: 4D415E3A600610DFCB11EF15D444A5EBBE2EF49720B198499EC4A9F362DB34FD00CB95

Function 0040D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,003F6D71,00000000,00000000,003F82D9,?,003F82D9,?,00000001,003F6D71,?,00000001,003F82D9,003F82D9), ref: 0040D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0040D9AB
__freea.LIBCMT ref: 0040D9B4

Part of subcall function 00403820: RtlAllocateHeap.NTDLL(00000000,?,004A1444,?,003EFDF5,?,?,003DA976,00000010,004A1440,003D13FC,?,003D13C6,?,003D1129), ref: 00403852

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5695997ba7b35d1141ae8f19f098745ea13e66000cdfc10f7fe90135a3d27927
Instruction ID: 063856a000e7a14867c2caeb9a82cf2393d70e9cdb52f982bac76e0c6026f16a
Opcode Fuzzy Hash: 5695997ba7b35d1141ae8f19f098745ea13e66000cdfc10f7fe90135a3d27927
Instruction Fuzzy Hash: 22319FB2A0020AABDB259FA5DC81EAF7BA5EF41310F05417AFC04E6291E739CD54CB94

Function 004652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00465352
GetWindowLongW.USER32(?,000000F0), ref: 00465375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00465382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004653A8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ea364e07c96dc380aba9d1b9eda8e3f1b8eb494ed38dfb4d618f052d96cd9b77
Instruction ID: 41f10352ad0dbc23df6459bbeadf10acc7758f682bf533abc4e632b7a366fa8e
Opcode Fuzzy Hash: ea364e07c96dc380aba9d1b9eda8e3f1b8eb494ed38dfb4d618f052d96cd9b77
Instruction Fuzzy Hash: 2C31D034A55A08EFEB309E14CC45BEA3765AB05B90F584113FE119A3E0E7B89DC0DB4B

Function 0043AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0043ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0043AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0043AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0043ACC6

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5631b8d813f5ec6f259e6e81cab5871cf734739dd7d12fb17347e9f0684fe675
Instruction ID: 7d09879f84bb63a97432022ce87aebeeb60cbecfd5d523cd1d9a5ddb66036285
Opcode Fuzzy Hash: 5631b8d813f5ec6f259e6e81cab5871cf734739dd7d12fb17347e9f0684fe675
Instruction Fuzzy Hash: 24310530A842186FEB25CB6588097FB7AA5AB4D310F08721BE4C1522D1D37D8DA1875B

Function 00467674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0046769A
GetWindowRect.USER32(?,?), ref: 00467710
PtInRect.USER32(?,?,00468B89), ref: 00467720
MessageBeep.USER32(00000000), ref: 0046778C

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: df7bd8cc6ce8cc8f048d481ddf24dc8ebc46c44ee68edf6fa56f58d466988298
Instruction ID: a2b53ea3151497287f861ffdb88b5e9ef3d6eb51fe088983bdbe49d7366ce152
Opcode Fuzzy Hash: df7bd8cc6ce8cc8f048d481ddf24dc8ebc46c44ee68edf6fa56f58d466988298
Instruction Fuzzy Hash: 5341AD74605214DFDB01CF58C894EAA7BF4FB49319F1880BAE4149B361E738B941CF9A

Function 004616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004616EB

Part of subcall function 00433A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00433A57
Part of subcall function 00433A3D: GetCurrentThreadId.KERNEL32 ref: 00433A5E
Part of subcall function 00433A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004325B3), ref: 00433A65

GetCaretPos.USER32(?), ref: 004616FF
ClientToScreen.USER32(00000000,?), ref: 0046174C
GetForegroundWindow.USER32 ref: 00461752

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 46d20cffa5bc87ca9105941e0794bf96e7569cc06b4629e868c47fc7ee714898
Instruction ID: f4636b1f969f81b5dd86b7a1dde88fed6cf6066aa69480032974c898570288c9
Opcode Fuzzy Hash: 46d20cffa5bc87ca9105941e0794bf96e7569cc06b4629e868c47fc7ee714898
Instruction Fuzzy Hash: 9D316172D00249AFC701EFAAD881CAEB7FDEF48304B5480AAE415E7311E7359E45CBA1

Function 00468FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003E9BB2

GetCursorPos.USER32(?), ref: 00469001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00427711,?,?,?,?,?), ref: 00469016
GetCursorPos.USER32(?), ref: 0046905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00427711,?,?,?), ref: 00469094

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5459203f56077bf4401d44f3a65cec0723aa81244dff10772cfa7b5193214b0b
Instruction ID: b14586c501ba589a13c66087f1955f32b294b4922a5e33891951ae708a66fe30
Opcode Fuzzy Hash: 5459203f56077bf4401d44f3a65cec0723aa81244dff10772cfa7b5193214b0b
Instruction Fuzzy Hash: 7721AD35601018EFCF258F94CC98EFB3BB9EB4A350F00406AF9054B2A1E3B99D50DB66

Function 0043D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0046CB68), ref: 0043D2FB
GetLastError.KERNEL32 ref: 0043D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0043D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0046CB68), ref: 0043D376

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 41a40792b3f0f2d72c4c970355a380662def0f0dcf5d08b4bf840cb6d937a83b
Instruction ID: 686a782107220d43944bfef0edf5b4947a88a38fc08552808a19a32fc7eb63e8
Opcode Fuzzy Hash: 41a40792b3f0f2d72c4c970355a380662def0f0dcf5d08b4bf840cb6d937a83b
Instruction Fuzzy Hash: 3A21A0709082019F8300DF24E88156B77E4EF5A724F105A6FF899C73A1E7359D4ACB9B

Function 00431571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00431014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0043102A
Part of subcall function 00431014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00431036
Part of subcall function 00431014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00431045
Part of subcall function 00431014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0043104C
Part of subcall function 00431014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00431062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004315BE
_memcmp.LIBVCRUNTIME ref: 004315E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00431617
HeapFree.KERNEL32(00000000), ref: 0043161E

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 69079cc4685ccecb1c6c8a6de4819e0608be2146ec4d24af925e2c6398d55a19
Instruction ID: 2fb227859ffb285c71788dcd3971282375098c707485306e20d619278e1f09bf
Opcode Fuzzy Hash: 69079cc4685ccecb1c6c8a6de4819e0608be2146ec4d24af925e2c6398d55a19
Instruction Fuzzy Hash: 58219D31E40109EFDF00DFA5C945BEFB7B8EF49344F08446AE451AB251E774AA05CBA4

Function 00462782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0046280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00462824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00462832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00462840

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 186045cbc91d9a62f443c4770f45479def0ff3c56b770b0dc355f998306aa408
Instruction ID: d967dc610dcb0f27015818fa3361fb1a9484b6f306af996b0f2d35210e021dba
Opcode Fuzzy Hash: 186045cbc91d9a62f443c4770f45479def0ff3c56b770b0dc355f998306aa408
Instruction Fuzzy Hash: 0F210031204911BFD7109B24CD80FAABB95AF46324F14821AF4268B2E2D7B9EC42C796

Function 004378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00438D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0043790A,?,000000FF,?,00438754,00000000,?,0000001C,?,?), ref: 00438D8C
Part of subcall function 00438D7D: lstrcpyW.KERNEL32(00000000,?,?,0043790A,?,000000FF,?,00438754,00000000,?,0000001C,?,?,00000000), ref: 00438DB2
Part of subcall function 00438D7D: lstrcmpiW.KERNEL32(00000000,?,0043790A,?,000000FF,?,00438754,00000000,?,0000001C,?,?), ref: 00438DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00438754,00000000,?,0000001C,?,?,00000000), ref: 00437923
lstrcpyW.KERNEL32(00000000,?,?,00438754,00000000,?,0000001C,?,?,00000000), ref: 00437949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00438754,00000000,?,0000001C,?,?,00000000), ref: 00437984

Strings

cdecl, xrefs: 0043797B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e3082603c2527c16a636f3610810939b1fffacbe9a1469365858dab6c7d430fc
Instruction ID: 02dc0a6833fef2769a302b2b7f31afdbe1bbad297b138d37d4dd58908964127f
Opcode Fuzzy Hash: e3082603c2527c16a636f3610810939b1fffacbe9a1469365858dab6c7d430fc
Instruction Fuzzy Hash: C711E4BA200341ABDB259F35C844E7B77A5EF89350B10512BF882CB3A4EB759801C759

Function 00465660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004656BB
_wcslen.LIBCMT ref: 004656CD
_wcslen.LIBCMT ref: 004656D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00465816

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 604be9fa348af79bc4975b5b2309f28f27afee2a56a8bdfcb7a309e881c4c0fd
Instruction ID: f9f9fca5fb1d0c9c928b7a23cb42ed2bd0646e31c273e32d34363cbfcd806869
Opcode Fuzzy Hash: 604be9fa348af79bc4975b5b2309f28f27afee2a56a8bdfcb7a309e881c4c0fd
Instruction Fuzzy Hash: DA11B17560060996DB20EF61CC85AFF77ACAF11764F10406BF915D6181FBB8CA84CB6A

Function 00431A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00431A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00431A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00431A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00431A8A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 02180bbb1a5efb83d5a3498582ee37a425b5f39328bc0f2cbeaba5c24f790ccd
Instruction ID: d4f318a1193c79644ee1fec1b796f8f11ba1c074f2fc12e1850c08c3888292f4
Opcode Fuzzy Hash: 02180bbb1a5efb83d5a3498582ee37a425b5f39328bc0f2cbeaba5c24f790ccd
Instruction Fuzzy Hash: CC110C3AD01219FFEB11DBE5CD85FADBB78EB08750F200096E604B7290D6716E51DB98

Function 0043E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0043E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0043E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0043E24D

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d005f6ab3a3fc2a286874168c8daba452367e6b9508ccccecdf7502604989229
Instruction ID: 446ef5de35c5380ec43a427a2396e40eff1d84c3c04d5670be61c4468dda1ca5
Opcode Fuzzy Hash: d005f6ab3a3fc2a286874168c8daba452367e6b9508ccccecdf7502604989229
Instruction Fuzzy Hash: 97112B72A05254BBDB019FA99C49AEF7FAC9B46310F004276FD14D33D1D2B4DD008BA5

Function 003FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,003FCFF9,00000000,00000004,00000000), ref: 003FD218
GetLastError.KERNEL32 ref: 003FD224
__dosmaperr.LIBCMT ref: 003FD22B
ResumeThread.KERNEL32(00000000), ref: 003FD249

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 4231909bbd59c2ea5d6d69e516774a9db49896aa128146cbb5854698c43d451c
Instruction ID: 3823109bde4ff12b23d09283e73f49991f91c293985835bf9e6913dc4d2b4ccc
Opcode Fuzzy Hash: 4231909bbd59c2ea5d6d69e516774a9db49896aa128146cbb5854698c43d451c
Instruction Fuzzy Hash: 7001D23680520CBBDB136BA5DC4DBBE7A6EDF82331F110629FA25961D0DBB18941C7E1

Function 003D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003D604C
GetStockObject.GDI32(00000011), ref: 003D6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 003D606A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 01c95adea0bbec4a77ac01708c49c4ed4ca9a29200288ecd6564147cfb95d0ad
Instruction ID: 641cc80c40fe535e5c8dfd22f970ed141d13ed23b893f67804466a870b1eba96
Opcode Fuzzy Hash: 01c95adea0bbec4a77ac01708c49c4ed4ca9a29200288ecd6564147cfb95d0ad
Instruction Fuzzy Hash: 9611AD73105509BFEF125FA4EC85EEABB6DEF093A4F010216FA2452220D776DC60DBA5

Function 003F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 003F3B56

Part of subcall function 003F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 003F3AD2
Part of subcall function 003F3AA3: ___AdjustPointer.LIBCMT ref: 003F3AED

_UnwindNestedFrames.LIBCMT ref: 003F3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 003F3B7C
CallCatchBlock.LIBVCRUNTIME ref: 003F3BA4

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: a3be210c1483714b38b41b5166dbc65630ffa2c0cd5b6e3d66578870e3115cfd
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2301E93210014DBBDF125E95CC46EFB7B69EF98754F054015FF486A121D732E961DBA0

Function 00403073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003D13C6,00000000,00000000,?,0040301A,003D13C6,00000000,00000000,00000000,?,0040328B,00000006,FlsSetValue), ref: 004030A5
GetLastError.KERNEL32(?,0040301A,003D13C6,00000000,00000000,00000000,?,0040328B,00000006,FlsSetValue,00472290,FlsSetValue,00000000,00000364,?,00402E46), ref: 004030B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0040301A,003D13C6,00000000,00000000,00000000,?,0040328B,00000006,FlsSetValue,00472290,FlsSetValue,00000000), ref: 004030BF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1ad1054d70e42cc5192ec29197e940958a93c3fc9f03f2f4566b26b308ee88cb
Instruction ID: 6114c23c13bcbf13400d8002f57ad79f7cddda0d9fa180902813c79369140e27
Opcode Fuzzy Hash: 1ad1054d70e42cc5192ec29197e940958a93c3fc9f03f2f4566b26b308ee88cb
Instruction Fuzzy Hash: A101D432753222ABCB214F799C849677F9CAF05B62B104632F946F3284D735D902C6E9

Function 00437464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0043747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00437497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004374AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004374CA

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 89a0680bddff0b4f6ca2723a1194d13a1c651c4b32551f518da26fa2bf504c31
Instruction ID: 7ba4bb11be97e09f827cca803f0e73504ebadbb3ba09a80221fea11be25c781d
Opcode Fuzzy Hash: 89a0680bddff0b4f6ca2723a1194d13a1c651c4b32551f518da26fa2bf504c31
Instruction Fuzzy Hash: 3911A1F1205310ABE730CF54ED48BA27BFCEB04B00F10856AE696D6191E7B4F904DB96

Function 0043B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0043ACD3,?,00008000), ref: 0043B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0043ACD3,?,00008000), ref: 0043B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0043ACD3,?,00008000), ref: 0043B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0043ACD3,?,00008000), ref: 0043B126

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c2ef300fd402c0f11948e8020afef3d5cada6bd877f3cc22fb504c7031883bd0
Instruction ID: 27d61af7bc96855add576af29e7b53e2afa2e10e43be9646c04bb70ce00c9d0a
Opcode Fuzzy Hash: c2ef300fd402c0f11948e8020afef3d5cada6bd877f3cc22fb504c7031883bd0
Instruction Fuzzy Hash: A4117C30C0052CD7CF04AFA4D9987FEBB78FF0E310F004096DA81B6285CB7445508B9A

Function 00432DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00432DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00432DD6
GetCurrentThreadId.KERNEL32 ref: 00432DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00432DE4

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1e999c736576320bce6bbc56f4d1434b8e1cbe17516c34c9fb2d2d10a73da414
Instruction ID: edb6e501d4cd3105c810d6c51a75d7794888aa6e532db9ae8fe31534a86fa700
Opcode Fuzzy Hash: 1e999c736576320bce6bbc56f4d1434b8e1cbe17516c34c9fb2d2d10a73da414
Instruction Fuzzy Hash: 44E06D712412247ADB202B62DC4DFFB7E6CEF46BA1F001026F106D1080AAE58841C6BA

Function 00468863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 003E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003E9693
Part of subcall function 003E9639: SelectObject.GDI32(?,00000000), ref: 003E96A2
Part of subcall function 003E9639: BeginPath.GDI32(?), ref: 003E96B9
Part of subcall function 003E9639: SelectObject.GDI32(?,00000000), ref: 003E96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00468887
LineTo.GDI32(?,?,?), ref: 00468894
EndPath.GDI32(?), ref: 004688A4
StrokePath.GDI32(?), ref: 004688B2

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c4d1df39fac8029a5fd4979635adfdaabbbda1deef1dd500a6618f23ac209648
Instruction ID: 315dd36ba03890161cd59191b7aaf6374762aea5b0c236e929fc6e0e671a2020
Opcode Fuzzy Hash: c4d1df39fac8029a5fd4979635adfdaabbbda1deef1dd500a6618f23ac209648
Instruction Fuzzy Hash: A4F05E36041258FADB126F94AC09FDE3F59AF4A310F048111FA51651E1D7B95511CFEE

Function 003E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003E98CC
SetTextColor.GDI32(?,?), ref: 003E98D6
SetBkMode.GDI32(?,00000001), ref: 003E98E9
GetStockObject.GDI32(00000005), ref: 003E98F1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 81067ae34790d56b621304eadec8573da25094c2258428b5bd549ccdf63f90af
Instruction ID: ec197295bd4987941faace9e8e69900bfd60a056ff4f3d6293c1bc11c8b1a32e
Opcode Fuzzy Hash: 81067ae34790d56b621304eadec8573da25094c2258428b5bd549ccdf63f90af
Instruction Fuzzy Hash: AFE06531244290AADB215B74BC49BE93F10AB12335F04822AF6FA940E1D3B546509F16

Function 0043162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00431634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004311D9), ref: 0043163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004311D9), ref: 00431648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004311D9), ref: 0043164F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7770268416641605f1e9cdc30d40a0b83fe01f0eeb6b03956e56b9d40dbe1480
Instruction ID: 624023b33b3b06ca38fa7852da298f3b9d86b44362f55d0ae3a1e25d7fd2c1cf
Opcode Fuzzy Hash: 7770268416641605f1e9cdc30d40a0b83fe01f0eeb6b03956e56b9d40dbe1480
Instruction Fuzzy Hash: 83E08631601211EBD7201FE19D4DB673B7CAF54791F144829F686C9090F6B84440CB99

Function 0042D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0042D858
GetDC.USER32(00000000), ref: 0042D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042D882
ReleaseDC.USER32(?), ref: 0042D8A3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ff610d7456f5f344e9765abe3d5519b546fd8cdc3b04cb35a2dfd3c05bb1a8b0
Instruction ID: dea79845e4b99cd7fe60dd786bcddf0d7f595094310a40f44cf74376c57dfd27
Opcode Fuzzy Hash: ff610d7456f5f344e9765abe3d5519b546fd8cdc3b04cb35a2dfd3c05bb1a8b0
Instruction Fuzzy Hash: 5FE01AB5800205DFCB41AFA1D84867DBBB6FB08310F14906AE88AE7250D7B85902AF4A

Function 0042D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0042D86C
GetDC.USER32(00000000), ref: 0042D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042D882
ReleaseDC.USER32(?), ref: 0042D8A3

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 638093efa6994b345b33bf8a756896797eb492b93476655f40543c6dc4ccd326
Instruction ID: 3688e543df6bc19183bf01ed50e23d50a4867baa64f1cfc9744570a53f8803d4
Opcode Fuzzy Hash: 638093efa6994b345b33bf8a756896797eb492b93476655f40543c6dc4ccd326
Instruction Fuzzy Hash: EAE01A71800200DFCB419FA0D84866DBBB5FB08310B149019E88AE7250D7B859029F49

Function 00444D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7620: _wcslen.LIBCMT ref: 003D7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00444ED4

Strings

*, xrefs: 00444E10
LPT, xrefs: 00444DFB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: df7d6fb368dc009839f154869bf1f23661b58469ef96296e1c82be348a384254
Instruction ID: af77b1563d9ab324252896b2d46c0562de72743b55037d645524308f9b7b2c08
Opcode Fuzzy Hash: df7d6fb368dc009839f154869bf1f23661b58469ef96296e1c82be348a384254
Instruction Fuzzy Hash: F2917375A002049FDB15DF58C484FAABBF1BF85304F15809AE80A9F3A2D735EE85CB95

Function 003FE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003FE30D

Strings

pow, xrefs: 003FE2E5, 003FE302

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b0613df7e72f4ca9061341e79f8ce892d86f13720e7f2d223e003728a1225e5a
Instruction ID: f977091f82e6848f31ad319d36bb39ee4207af4b04f034f9fd780557de093d9b
Opcode Fuzzy Hash: b0613df7e72f4ca9061341e79f8ce892d86f13720e7f2d223e003728a1225e5a
Instruction Fuzzy Hash: F0516961E0D20696CB127714C94537A3BA4AF40740F348D7BE195523F9EB389CD19A8F

Function 00457771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0042569E,00000000,?,0046CC08,?,00000000,00000000), ref: 004578DD

Part of subcall function 003D6B57: _wcslen.LIBCMT ref: 003D6B6A

CharUpperBuffW.USER32(0042569E,00000000,?,0046CC08,00000000,?,00000000,00000000), ref: 0045783B

Strings

<sI, xrefs: 004577C8

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sI
API String ID: 3544283678-3642889959
Opcode ID: b97f2e42eb6cda3fa1305c9215a88f490491168d65c208e08dafb6c3b2246281
Instruction ID: b606292fe34f743525ae558dad442dc0b73efe30ba860c5ac97b0d29ac6b7a8b
Opcode Fuzzy Hash: b97f2e42eb6cda3fa1305c9215a88f490491168d65c208e08dafb6c3b2246281
Instruction Fuzzy Hash: B66163769141189ACF06FBA4EC91DFDB374BF14301B544137F942AB292EF385A09CBA5

Function 003EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 003EE1B1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 846f26c3c4fc19009cb7cb3b2ae5e9b2ee9d2a5b58e9fcc43ae11775b8c17641
Instruction ID: 23bc29b4e7e810944197df8ef5448ae848ef698558209395b19b6f7fa82ba300
Opcode Fuzzy Hash: 846f26c3c4fc19009cb7cb3b2ae5e9b2ee9d2a5b58e9fcc43ae11775b8c17641
Instruction Fuzzy Hash: 955186316002A6DFDF16EF6AE0806FA7BA8EF55310F604456EC818B3C0D7389D42CB68

Function 003EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 003EF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 003EF2BB

Strings

@, xrefs: 003EF2AF

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: df7ffbf8e7cd06068d8686bb7f76a6dd3aeb73b76cd6a1431ce8b03d32e7c276
Instruction ID: 7cb5bf742884c2974d54ce87303521df20f95d03b70c2cdbd345c876f0e19873
Opcode Fuzzy Hash: df7ffbf8e7cd06068d8686bb7f76a6dd3aeb73b76cd6a1431ce8b03d32e7c276
Instruction Fuzzy Hash: 665168724187459BD321AF10EC86BAFB7FCFB84304F81885EF1D9411A5EB308529CB66

Function 00455745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004557E0
_wcslen.LIBCMT ref: 004557EC

Strings

CALLARGARRAY, xrefs: 004557E6, 004557EB

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: fc1a0440ca441acd92f95aecd792a96c41a73daf503134b697b9298d828982e2
Instruction ID: 73b5c6a1becf44d850f2cdd3c354907b9505151bf1335fabd63ee5aaf294f462
Opcode Fuzzy Hash: fc1a0440ca441acd92f95aecd792a96c41a73daf503134b697b9298d828982e2
Instruction Fuzzy Hash: DC41E431E001059FCB14EFA9C8919BEBBB5FF59315F10406AE805AB392E7789D85CB94

Function 0044D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0044D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0044D13A

Strings

|, xrefs: 0044D10B

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 84c665265741e6c8c7df9ee729fba5705c94963f2302ae4d3247f45f2df942d0
Instruction ID: 4a65e7d2489eb3ff1c294ac5933521901ea981aaabb0a8cb274ac9f029360c75
Opcode Fuzzy Hash: 84c665265741e6c8c7df9ee729fba5705c94963f2302ae4d3247f45f2df942d0
Instruction Fuzzy Hash: 5B312C75D00209ABDF16EFA4DD85AEF7FB9FF04300F00001AF915AA261E735AA06DB54

Function 0046356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00463621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0046365C

Strings

static, xrefs: 004635BC

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e957d19ca4c68ea29fe9f6be44ac803be8402682d8863de96df36c851b0cdb0b
Instruction ID: 94282cba58ad98a3cbb719a694df71918199e81313e2f3b145f49ea33d6ff85f
Opcode Fuzzy Hash: e957d19ca4c68ea29fe9f6be44ac803be8402682d8863de96df36c851b0cdb0b
Instruction Fuzzy Hash: 8D31B071110244AEDB20DF68DC80EFB73A9FF48724F00961EF8A597290EA74AD81C769

Function 00464537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0046461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00464634

Strings

', xrefs: 0046458E

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 10eb7059223b0eb291697ff01e22051aef0427302fde406474e52f6b8c6a31e0
Instruction ID: 28728ff17cbb6b77e8443159a271dee6ac6da39ad6ae457ef3ff1f29eeaa7945
Opcode Fuzzy Hash: 10eb7059223b0eb291697ff01e22051aef0427302fde406474e52f6b8c6a31e0
Instruction Fuzzy Hash: 95312A74A0130AAFDF14CFA9C990BDA7BB5FF49300F14406AEA05AB391E774A941CF95

Function 004631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00463287

Strings

Combobox, xrefs: 00463249

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 84aa500398b4b5197d904eb5d24158f4e796a0abccc10340684c5e1432b503b2
Instruction ID: 26b679705a73d38eebfeed8a5e1e08eb540750c7c048460e732d4c221686fcc5
Opcode Fuzzy Hash: 84aa500398b4b5197d904eb5d24158f4e796a0abccc10340684c5e1432b503b2
Instruction Fuzzy Hash: 7311E2713002487FFF219F94DC90EBB3BAAEB943A5F10012AF92897390E6799D518765

Function 00463710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003D604C
Part of subcall function 003D600E: GetStockObject.GDI32(00000011), ref: 003D6060
Part of subcall function 003D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003D606A

GetWindowRect.USER32(00000000,?), ref: 0046377A
GetSysColor.USER32(00000012), ref: 00463794

Strings

static, xrefs: 00463757

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3299d53c4785fbb5e527f5e690c1c0385968e8fe10e5def57bcd0a524cc72913
Instruction ID: d3d4194d33a35240334353d075937906feaed28e98898f4b617ce3f481d19f26
Opcode Fuzzy Hash: 3299d53c4785fbb5e527f5e690c1c0385968e8fe10e5def57bcd0a524cc72913
Instruction Fuzzy Hash: 9F116DB2610209AFDF00DFA8CC45EFA7BB8FB08305F004525F955E2250E779E8519B55

Function 0044CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0044CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0044CDA6

Strings

<local>, xrefs: 0044CD66

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 155778de46cad47cb69b05b7b8697e9bb2faa392089837d76e8b9eafcf7ceee5
Instruction ID: 1fc3720bc104d3f08ea544dca597072d73d939b4d9e8c6d508a793c3c3b09666
Opcode Fuzzy Hash: 155778de46cad47cb69b05b7b8697e9bb2faa392089837d76e8b9eafcf7ceee5
Instruction Fuzzy Hash: 5611E3B1A426327AE7684A668CC4EF3BE68EF527A4F044237B10982180D6689841D6F5

Function 00463429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004634AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004634BA

Strings

edit, xrefs: 0046348F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 80e5b1b67863a7052483c3f217f4e759cbea445978effa1d816515c7e684d772
Instruction ID: 41b644e793445584de3eed5d62fab1ffaa021b6e2e9ace942a2ec16c54e1260f
Opcode Fuzzy Hash: 80e5b1b67863a7052483c3f217f4e759cbea445978effa1d816515c7e684d772
Instruction Fuzzy Hash: 1511C471100244AFEF114E64DC80AFB7769EF05379F504326F961932E0EB79DC519B5A

Function 00436C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00436CB6
_wcslen.LIBCMT ref: 00436CC2

Strings

STOP, xrefs: 00436CBC, 00436CC1

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f162f37a1d7027252b0588bc3ecd0c9915c7ba359d93d6af418daf4521666dd8
Instruction ID: 783d0267a67930cf2d90fa98b66aa77f4d012eee7e8b753d7ebbe6aa323bfda1
Opcode Fuzzy Hash: f162f37a1d7027252b0588bc3ecd0c9915c7ba359d93d6af418daf4521666dd8
Instruction Fuzzy Hash: C60108326005279ACB119FBDEC809BF77B4EA68714B12553AE45297295EB39D800C754

Function 00431BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

Part of subcall function 00433CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00433CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00431C46

Strings

ListBox, xrefs: 00431C10
ComboBox, xrefs: 00431BE5

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8bc5b49d54b5214e277fde275876ac10915020f61767b1e34850fc3c2b0e218f
Instruction ID: b7b56c9c7819a561c77cf83c668ad541949cfab56e0e2d83a902a93e6d9b72a6
Opcode Fuzzy Hash: 8bc5b49d54b5214e277fde275876ac10915020f61767b1e34850fc3c2b0e218f
Instruction Fuzzy Hash: 0701F77278010466CF05EBA1D951AFF77A89B19340F10202BB41667391EA289E08C7BA

Function 00431C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

Part of subcall function 00433CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00433CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00431CC8

Strings

ListBox, xrefs: 00431C94
ComboBox, xrefs: 00431C69

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 70938ba2afd25806f66c46a91cc88feb16182c77a9e1da9decdd3ee2cb6e511d
Instruction ID: 440ea6a4562b1c91179b33e66c759d5c78dbf91babed8af60672d97356ff49e1
Opcode Fuzzy Hash: 70938ba2afd25806f66c46a91cc88feb16182c77a9e1da9decdd3ee2cb6e511d
Instruction Fuzzy Hash: AD01DB7278011467CF05EBA0DA01BFF77A89B15340F242017B801773D1EA689F09D67A

Function 003EA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003EA529

Part of subcall function 003D9CB3: _wcslen.LIBCMT ref: 003D9CBD

Strings

3yB, xrefs: 003EA545, 003EA54D, 003EA552
,%J, xrefs: 003EA509

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%J$3yB
API String ID: 2551934079-3204569432
Opcode ID: 76439653f32c42c1779748796bb1073adade58483ceb580a50e46c9c24aad0d3
Instruction ID: 6b38848c3f0ea5bf16180f53f91a9fa4f9d50b4a30964fcae4e717a1c1bbceed
Opcode Fuzzy Hash: 76439653f32c42c1779748796bb1073adade58483ceb580a50e46c9c24aad0d3
Instruction Fuzzy Hash: 31014732B00A6497C607F36DE947BBD33549B07710F100566F5012F2C3EE507D019A9B

Function 00468172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004A3018,004A305C), ref: 004681BF
CloseHandle.KERNEL32 ref: 004681D1

Strings

\0J, xrefs: 0046818A

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0J
API String ID: 3712363035-3551039675
Opcode ID: 9c94ef2c944478019e3bec2a0fd577823a8b9622cac2daa9edcb77a4a162abca
Instruction ID: 48de1adf5716459adaee155d6c144e8c85320854297b45750d19c1ad72100e51
Opcode Fuzzy Hash: 9c94ef2c944478019e3bec2a0fd577823a8b9622cac2daa9edcb77a4a162abca
Instruction Fuzzy Hash: D8F05EF1644304BAE2206F61AC45FB77E5CDB0A752F004432FB08D91A2F6798E4082BD

Function 0045747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00457493
_wcslen.LIBCMT ref: 004574B9

Strings

3, 3, 16, 1, xrefs: 00457483

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: c2387b52e0847e2e321af587b329176ffd248a10a1fd18ff59273671b6164a41
Instruction ID: ec030014dd799d08156ff0d2ffe98500c13e85628cb22f5ad1db9ee7596733c3
Opcode Fuzzy Hash: c2387b52e0847e2e321af587b329176ffd248a10a1fd18ff59273671b6164a41
Instruction Fuzzy Hash: E0E02B02314220109232127ABCC1A7F5A89CFC6791714183FFE85C6367EBD88D9193A4

Function 00430B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00430B23

Strings

Error allocating memory., xrefs: 00430B1C
AutoIt, xrefs: 00430B17

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: c10d6e5cf39501b6807f65211c31c1082177ecc50545f048797686c04999600b
Instruction ID: 231eace81385c27244945173fa4154564501453db2ebde87a375d5ae6c29ae95
Opcode Fuzzy Hash: c10d6e5cf39501b6807f65211c31c1082177ecc50545f048797686c04999600b
Instruction Fuzzy Hash: A6E0D8322443582AD31136957C43F9A7A848F05B11F204427F798995C39AE6645006EE

Function 003F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003F0D71,?,?,?,003D100A), ref: 003EF7CE

IsDebuggerPresent.KERNEL32(?,?,?,003D100A), ref: 003F0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003D100A), ref: 003F0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003F0D7F

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8f8459916537507250a37f1644c4bfd98e3a6857e9bc99cde5b911933c5f28a1
Instruction ID: 97ae8042398d4265be2b80d5d2a7cb1b7bd346ecedbf5d41131b9361a6e656b6
Opcode Fuzzy Hash: 8f8459916537507250a37f1644c4bfd98e3a6857e9bc99cde5b911933c5f28a1
Instruction Fuzzy Hash: D9E06D742003518BD7259FBCE5443667BE4AB04744F00897EF9C6C6662EBF5E4488B92

Function 003EE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003EE3D5

Strings

8%J, xrefs: 003EE3CA
0%J, xrefs: 003EE3B5

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%J$8%J
API String ID: 1385522511-201284201
Opcode ID: abdf63dc60ff70a8206c8120a43ab81f271c3401a88cf7b384aa4a7f7be066ba
Instruction ID: a256d637fd5a3b98a7890a4f325e8d869ec4f6cdad36a273958d7ef331471d10
Opcode Fuzzy Hash: abdf63dc60ff70a8206c8120a43ab81f271c3401a88cf7b384aa4a7f7be066ba
Instruction Fuzzy Hash: D5E0263DC00974EBC60A971DBA74ADA3395BB06320B900276E1028B5D2DBB42841A65C

Function 00443017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0044302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00443044

Strings

aut, xrefs: 00443038

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 15b3d34fbd7b2067b6111cda9e6d0ea459172c1636d653684c731d22d86a4cf4
Instruction ID: edaafe4579b9bed676ed9de9af26c98578651375ce485693615a024dd893b83e
Opcode Fuzzy Hash: 15b3d34fbd7b2067b6111cda9e6d0ea459172c1636d653684c731d22d86a4cf4
Instruction Fuzzy Hash: A4D05E7290032867DA20A7A4EC4EFDB3A6CDB05750F0002B2BA95E2091EAF49984CAD5

Function 00462356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0046236C
PostMessageW.USER32(00000000), ref: 00462373

Part of subcall function 0043E97B: Sleep.KERNEL32 ref: 0043E9F3

Strings

Shell_TrayWnd, xrefs: 00462365

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a62963a888f21282061ebc0011bf5ae7107fe764731a6dbf87579943a3f07bdd
Instruction ID: b70fe63fd58ab6c0af9d3ff04226d21405291f13de3ee96cfbcaaa0e2d42fee7
Opcode Fuzzy Hash: a62963a888f21282061ebc0011bf5ae7107fe764731a6dbf87579943a3f07bdd
Instruction Fuzzy Hash: 4BD0C972381310BAEA64B771EC4FFD66A149B08B14F114926B686AA1D0D9E4A8018A5D

Function 00462322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0046232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0046233F

Part of subcall function 0043E97B: Sleep.KERNEL32 ref: 0043E9F3

Strings

Shell_TrayWnd, xrefs: 00462325

Memory Dump Source

Source File: 00000000.00000002.2101622829.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2101589760.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2101853059.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102154151.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102306711.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_random.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 902424e8d47606682ca3b614647da29749980517a59b3ff78690757af33aee81
Instruction ID: a1f01926e5cd94cc2da99a38cb43be3de743bcfe155b3d60f63ed26f21addb0d
Opcode Fuzzy Hash: 902424e8d47606682ca3b614647da29749980517a59b3ff78690757af33aee81
Instruction Fuzzy Hash: 6FD0A932380310B6EA64B371EC4FFD66A049B04B00F000926B286AA0D0D9E4A8008A0C

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2162153076.000002F432555000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225805472.00003BD68F503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161164524.000002F432555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2225805472.00003BD68F503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2252220236.000002F43CF59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2251206454.000002F43DB06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2252220236.000002F43CF59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240171901.000002F433751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2251206454.000002F43DB06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2237476993.000002F439C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2237476993.000002F439C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3898466232.0000026AF5903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3899381751.000002255610C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3898466232.0000026AF5903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3899381751.000002255610C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3898466232.0000026AF5903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3899381751.000002255610C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2242360914.000002F432BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2246351940.000002F43D7DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255695555.000002F439C52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277299854.000002F43CF8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2246351940.000002F43D7DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251206454.000002F43DB06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255695555.000002F439C52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2277299854.000002F43CF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252220236.000002F43CF59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2240171901.000002F433751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.5:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50033 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_31595935-f0fa-4675-bc23-066213b616a0.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_31595935-f0fa-4675-bc23-066213b616a0.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1WI20H3RJUTZRLG3VI8R.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FPWXM17X5LO482VEKOVX.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
random.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre